2010 


Securing  the  Cloud:  Practicals  from  the  Pros  page  14 


Security’s  credibility  is  at 
an  all-time  high,  but  plenty 

of  challenges  remain 

^  •••••••••••••  .  • 

EXCLUSIVE  SURVEY 
RESULTS  PAGE 24 


LIFELONG  LEARNER? 
PROVE  IT!  PAGE  28 


THINK  OUTSIDE 
YOUR  JOB  PAGE 6 


www.csoonline.com  $9.00  June  2010 


FORTUNE  500 
COMPANIES  DON’T 
CHOOSE  SECURITY 

ON  WHII* 


Over  95  percent  of  the  Fortune  500  choose  VeriSign  SSL  as  their  online  security  of  choice. 

Why?  Because  VeriSign  can  enable  the  strongest  encryption  available  and  has  the  most 
rigorous  authentication  standards.  Or  because  VeriSign®  Extended  Validation  (EV)  SSL  offers  the 
most  visible  site  security  available  by  displaying  the  green  address  bar  in  high-security  browsers, 
which  is  also  the  most  effective  defense  against  phishing  scams.  Add  it  up,  and  it’s  easy  to  see 
why  industry  leaders  choose  VeriSign— the  most  trusted  symbol  of  security  on  the  Web. 


It’s  powerful.  It’s  the  most  visible.  Learn  more  about  protecting 
your  site  and  your  customers  at  VeriSign.com/EVSSLPaper, 


TRUST  E  @ 


-  2009  VeriSign,  Inc.  All  rights  reserved.  VeriSign,  the  VeriSign  logo,  the  Checkmark  Circle  logo,  the  VeriSign  Secured  logo,  and  other  trademarks,  service 
marks,  and  designs  are  registered  or  unregistered  trademarks  of  VeriSign.  Inc.,  and  its  subsidiaries  in  the  United  States  and  foreign  countries.  All  other 
trademarks  are  property  of  their  respective  owners. 


June  2010  Vol.  9,  No.  5 


Features... 

18  How  to  Get  what 
You  Want  (Step 
One:  Stop  Talking) 

NEGOTIATION  Negotiation  tac¬ 
tics  that  work  in  hostage  situations 
aren’t  all  that  different  from  what 
you  should  be  doing  at  work  (and 
even  at  home).  An  expert  negotia¬ 
tor  says  active  listening  comes  first 
in  every  successful  negotiation. 

By  Constantine  von  Hoffman 

24  Progress 
and  Peril 

COVER  STORY | SURVEY 

Security’s  credibility  has  grown  by 
leaps  and  bounds  this  decade,  but 
plenty  of  challenges  remain. 

By  Derek  Slater 


Also  Inside... 


2  From  the  Editor 

4  From  the  Publisher 

6  Join  the  Discussion 

Career  Problem: 

Perspective  Stuck  in  the  Box 

8  Briefing 

■  The  Evil  Men  (Can)  Do 
with  Embedded  Systems 

■  From  Microsoft  to 
Adobe  Insecurity: 

One  Man’s  Journey 

■  Five  Top  Tactics  in 
Retail  Theft  Today 

■  Times  Square  Bomb  - 
Scare  May  Mean  New 
Levels  of  Security 

■  Facebook  Security  Flaw 
Makes  Private  Chats  Public 

■  Inside  Oracle’s  Security 
Assurance  Program 


14  Cloud  Security:  Tools 
and  Experiences 
Toolbox  As  cloud  computing 
races  ahead,  security  is 
playing  catch-up.  Here  are 
practical  considerations  and 
strategies  from  cloud  thought 
leaders  and  early  adopters. 

By  Mary  Brandel 

28  An  Addiction  to  Success 
Industry  View 

You  say  you’re  a  lifelong 
learner?  Prove  it! 

By  Michael  Santarcangelo 

30  The  Healthcare-Risk 
Hunter’s  Guide  to  the 
Galaxy  CSOView 

By  Neil  Buckley 

32  Debriefing 

Security  Budget  Requests 
Through  The  Years 


CSO  (ISSN  1540-904X)  is  published  monthly  except  for  a  combined  issue  in  July/August  and  December/January  by  CXO  Media  Inc.,  492  Old  Connecticut  Path,  P.O.  Box  9208,  Framingham,  MA  01701-9208.  Periodical  Postage  Rateat 
Framingham.  MA01701,  and  at  additional  mailingoffices. Canadian  Publications  Mail  agreement  number  1902075.  Canadian  Postmaster:  Please  return  undeliverablecopy  to  P.O.  Boxl632.Windsor,ONN9A7C9.Copyright2010by 
CXO  Media  Inc.  All  rights  reserved.  Reproduction  of  material  appearing  in  CSO  is  forbidden  without  written  permission.  Permission  to  photocopy  for  internal  or  personal  useor  the  internal  or  personal  useof  specific  clients  isgranted 
by  CSO  for  users  through  the  Copyright  Clearance  Center,  provided  that  afeeof  $3.50  per  copy  of  the  article  is  paid  directly  toCopyrightClearanceCenter,  222  Rosewood  Drive,  Danvers,  UA01970.www.copYright.com.  Please  specify: 
ISSN  1540-904X.  Permission  to  photocopy  does  not  extend  to  contributed  articles— followed  by  this  symbol:  $.  Address  inquiriesto  CSO,  P.O.  Box  3482,  Northbrook,  IL60065;  866  354-1125.  CSO  isfreetoqualified  security  executives. 
Toall  others  theone-year  basic  rate  is$70forthe  United  Statesand  Canada.  $95  to  foreign  countries  (payable  in  U.S.fundsonly).  The  singlecopy  price  is  $9  to  the  U.S.  and  Canadaand  $15  International.  Please  allowfourto  six  weeks 
for  new  subscriptions  to  begin.  Change  of  Address:  Go  to  www.omeda.com/custsrv/cso  and  follow  the  online  instructions.  Postmaster:  Send  change  of  address  to:  CSO.  P.O.  Box  3482,  Northbrook,  IL  60065.  Printed  in  the  USA. 


Cover  illustration  by  Phil  Foster/theispot.com 


June  2010  www.csoonline.com  1 


[  FROM  THE  EDITOR] 


Negotiating  to 
the  Next  Level 

A  short  lecture  on  why 
lectures  don’t  work,  and  how 
security  departments  can 
get  what  they  really  need 

Friends  always  told  me  I  am  laid  back. 
Water  off  a  duck’s  back,  going  with  the 
flow  and  all  that. 

Turns  out  this  is  not  remotely  true, 
and  I  believe  it  was  around  the  launch  of  CSO 
in  2002  that  my  inner  creative  control  freak 
fully  manifested  itself. 

Given  the  chance  to  help  create  something 
new,  I  wanted  pretty  much  everything  done 
my  way.  I  was  mystified  then,  as  I  have  been 
many  times  since,  that  any  colleague  who  was 
truly  interested  in  the  success  of  our  shared 
endeavor  could  fail  to  grasp  the  importance  of 
my  agenda  and  the  rightness  of  my  opinions. 

Ever  felt  that  way?  Sure  you  have.  You  work 
insecurity,  after  all. 

Well  gol-ly  and  surprise,  surprise,  Sergeant 
Carter.  Turns  out  that  browbeating  your  col¬ 
leagues  and  insisting  on  the  moral  correctness 
of  your  stance  is  NOT  effective.  Even  though 
I  still  try  it  from  time  to  time  in  moments  of 
weakness. 

Every  year  we  conduct  a  survey  of  security 
leaders  to  produce  our  State  of  the  CSO  report. 
You’ll  find  key  data  starting  on  page  24  of  this 
issue.  Overall,  the  news  is  very  good.  Security 
has  matured  a  great  deal  as  an  organizational 
discipline  over  the  past  decade;  security  lead¬ 
ers  generally  report  that  their  credibility  has 
never  been  higher. 


But  continuous  improvement  is  the  name 
of  the  game.  Getting  the  budget  you  need  and 
prioritizing  it  correctly  is  still  difficult.  Security 
metrics  are  underdeveloped.  Security  aware¬ 
ness  programs  still  fall  flat. 

So  how  do  you  get  what  you  need?  How  do 
you  put  your  message  across  effectively? 

You  start  by  listening. 

Most  of  us  know  that  by  now-at  least  in 
theory.  But  the  data  says  we,  as  a  group,  still 
have  room  for  improvement. 

And  that’s  why  we  interviewed  Chris  Voss, 
a  former  FBI  hostage  negotiator  who  now 
applies  that  skill  to  business  settings.  Voss 
says  active  listening  is  a  skill  you  can  develop 
through  reflection  and  practice,  and  it’s  the 
single  most  important  key  to  successful 
negotiations. 


Read  his  thoughts  starting  on  page  18.  Put 
these  practical  ideas  to  use  in  your  everyday 
conduct. 

Let’s  see  if  we  can  close  the  gap  on  the  few 
State  of  the  CSO  numbers  that  aren’t  showing 
progress  yet. 

-Derek Slater,  dslater@cxo.com 


Editor  in  Chief  Derek  Slater 
Senior  Editors 
Bill  Brenner,  Joan  Goodchild 
Copy  Editor 
Colleen  Barry 
Editorial  Administrator 
Pat  Josefek 
Contributors 

Mary  Brandel,  Neil  Buckley, 
Constantine  von  Hoffman, 

Dan  Lohrmann,  Michael  Santarcangelo 

DESIGN 

Executive  Director,  Art  and  Design 
Mary  Lester 

Art  Director  Steve  Traynor 

RESEARCH 

Research  Manager  Carolyn  Johnson 

TECHNICAL  ADVISORY  BOARD 

Jason  Cowling 

Jeremiah  Grossman,  WhiteHat  Security 
Frank  Murphy,  TBG  Security 
Stephen  Northcutt,  SANS  Institute 
Richard  Power,  Carnegie  Mellon  CyLab 

EDITORIAL/ADVERTISING/ 
BUSINESS  OFFICES 

492  Old  Connecticut  Path, 

P.O.  Box  9208, 

Framingham,  MA  01701-9208 
Main  phone  number:  508  872-0080 

CXONMEDEA  INC. 

INTERNATIONAL  DATA  GROUP 

Chairman  of  the  Board 
Patrick  J.  McGovern 

IDG  COMMUNICATIONS,  INC. 

CEO  Bob  Carrigan 
Chief  Content  Officer 
John  Gallant 


vTBPA 


WORLD  W  I  D  |“ 


2  www.csoonline.com  June  2010 


Photo  by  Tim  Llewellyn 


Using  a  3M  "  Mobile 
Privacy  Film  is  the  right 
thing  to  do. 

The  compliance  angel 
on  your  shoulder 
told  us  so. 


3M™  Mobile  Privacy  Film 


Only  you  can  prevent  private  data  from  going  public.  Place  a  3M™  Mobile  Privacy  Film  on  your  device.  It  picks  up  where  security  software  leaves  off, 
protecting  the  exposed  area  between  your  screen  and  your  eyes.  So  you  can  go  about  your  business  without  tempting  onlookers,  innocent  or  otherwise. 


3M  is  your  solution  for  privacy  on  every  screen.  For  more  information  on  3M  Mobile  Privacy  Films 
or  3M  Privacy  Computer  Filters,  visit  www.3MPrivacyFilter.com/Security  or  call  800-553-9215. 


©  3M  2010 


[  FROM  THE  PUBLISHER  ] 


Policy  and 
Responsibility 
at  Facebook 

This  is  not  your  typical  rant  against  Face- 
book  that  has  recently  become  so  com¬ 
mon  in  the  media.  Sure,  there  are  issues 
with  privacy  policies  and  such,  but  I  always 
keep  in  mind  that  it  doesn’t  cost  any  money  to 
use  Facebook. 

I’m  also  not  going  to  talk  about  the  myriad 
security  issues  associated  with  the  site.  I  hear 
them  every  day  from  all  of  you.  Facebook,  like 
other  social  media  sites,  is  a  vector  for  mal¬ 
ware,  a  wellhead  for  data  leakage  and  a  time 
suck  when  it  comes  to  employee  productivity. 

What  l  am  going  to  talk  about,  however,  is 
policy  and  responsibility:  the  obligation  to  cre¬ 
ate  clear  policies  and  to  offer  some  reasonable 
controls  to  enforce  those  policies. 

As  with  any  good,  open  site,  Facebook  has 
explicit  policies  for  usage  that  define  who  can 
use  the  site,  how  it  can  be  used,  and  so  on. 

One  requirement  is  that  a  person  must  be  at 
least  14  years  old  to  open  a  Facebook  account. 
Seems  simple  enough.  But  some  kids-imagine 
this!— lie  about  their  age!  As  anyone  with  chil¬ 
dren  can  attest,  monitoring  your  kids  online 
is  difficult  at  best.  Monitoring  their  actions 
on  social  media  sites  when  you  don’t  use  the 
sites  yourself  or  aren’t  even  aware  that  your 
children  are  using  them  is  next  to  impossible. 
As  Facebook  becomes  an  increasingly  attrac¬ 
tive  vector  for  attacks  and  exploitation,  those 
who  least  understand  the  risks  are  the  most 
vulnerable. 

But  is  Facebook’s  policy  enforced?  It’s 
certainly  very  difficult,  from  Facebook’s 
perspective,  to  enforce  the  minimum-age 
rule,  and  thus  it  relies  on  self-attestation.  But 
a  child  wanting  to  violate  that  policy  needs 
only  lie.  So  Facebook  also  has  a  mechanism 
whereby  someone  can  report  a  violation  of 
this  policy.  Great  idea,  except  before  you  can 


Advertiser  Index 

3M  . 3 

CSO  . 23,25 

Executive  Women’s  Forum .  C3 

ISACA . 5 


drop  a  dime  on  someone,  you  need  to  friend 
that  person  and  see  what  network  he  or  she 
belongs  to.  I  don’t  know  many  10-year-olds 
who  would  happily  accept  a  friend  request 
from  a  parent,  granting  full  access  to  their  pro¬ 
files.  The  control  mechanism  is  fatally  flawed 
and  it’s  clear  to  me,  an  educated  observer,  that 
this  policy  is  really  just  smoke  and  mirrors 
that  offer  Facebook  plausible  deniability.  I  get 
that.  But  we're  talking  about  our  kids  here,  and 
standards  need  to  be  much  higher. 

I  contacted  Facebook  several  times  for  com¬ 
ment  on  this  issue  and  received  no  response. 

In  our  businesses,  the  issue  here  is  one  of 
policy  enforcement.  We  all  have  acceptable- 
use  policies  addressing  a  variety  of  issues. 

But  when  policies  are  not  enforced,  or  are 
structured  in  a  way  that  makes  them  hollow, 


they  aren’t  worth  the  paper  they’re  written  on 
and  provide  little  protection  against  violations 
or  liabilities. 

You  need  to  enforce  your  policies  with 
reasonable  controls  to  ensure  compliance  and 
reduce  risk.  Facebook  needs  to  do  the  same. 

Let  me  know  what  you  think  about  usage 
policies  at  bbragdon@cxo.com. 

Best  regards, 

Bob  Bragdon,  Publisher 


SpectorSoft  Corp . .31 

Trend  Micro  Inc . C4 

Tripwire  Inc . 9 

University  of  Maryland  University  College . 17 

Verisign . C2 


President  and  CEO 
Michael  Friedenberg 
Group  Publisher  Bob  Melk 
Publisher  Bob  Bragdon 
Senior  National  Sales  Manager 
Per  Melker 

East  Coast  Regional  Sales  Manager 
Roz  Burke 

West  Coast  Regional  Sales  Manager 
Michelle  McHugh 
Sales  Associate 
Sarah  Nadeau 

INTEGRATED  MEDIA  AND 
ONLINE  SALES 

SVP,  GM,  Online  Operations 
Gregg  Pinsky 
VP,  Online  Sales 
Brian  Glynn 

East  Coast  Online  Regional 
Sales  Manager 
Richard  Hartman 
West  Coast  Online  Regional 
Sales  Manager 
Erika  Karr 

Central  Online  Regional 
Sales  Manager 

Stacy  Bryne 

Director,  Online  Account  Services 

Danielle  Tetreault 

Online  Account  Services  Specialists 

Jennifer  Malkasian,  Elise  Ryan, 

Tara  Shea 

CUSTOM  SOLUTIONS  GROUP 

Vice  President  Charles  Lee 
National  Sales  Directors 
Tom  Grimshaw,  Karen  Wilde 

PRODUCTION 

VP/Manufacturing  Chris  Cuoco 
Production  Manager  Heidi  Broadley 

EXECUTIVE  PROGRAMS 

SVP,  Executive  Programs 
Ellen  Daly 

Vice  President,  Event  Marketing 

Michael  Garity 

Sr.  Director,  Event  Operations 

Deb  Begreen 

VP,  Content  Development  &  Events 

Derek  Hulitzky 

MARKETING 

Vice  President,  Marketing 

Sue  Yanovitch 

Sr.  Marketing  &  PR  Specialist 
Lynn  Holmlund 

LIST  SERVICES 

Contact  Steve  Tozeski  of 
IDG  List  Services  at  508  820-8106  or 
stozeskitSidglist.com 

REPRINTS  &  PERMISSIONS 

For  information  about  reprints  and 
copyright  permissions,  please  contact 
The  YGS  Group,  800-290-5460  ext.  129, 
cso<Stheygsgroup.com 


4  www.csoonline.com  June  2010 


Photo  by  Christopher  Navin 


GOOD  FORTUNE 


BREAK  IMTO  IT. 

Register  for  an  ISACA  certification  exam. 

Exam  Date:  1 1  December  2010 

Registration  Deadline:  6  October  2010 


+ISACA 

Trust  in,  and  value  from,  information  systems 


www,  isaca.  org/csomag 


Introducing  ISACA 's  newest  certification: 


Certified  in  Risk 
and  Information 
Systems  Control" 

An  ISACA*Certlflcatlon 


CISA  CISM 


Certified  Information  Systems  Auditor™ 


CERTIFIED  INFORMATION 
SECURITY  MANAGER* 


f 


Certified  in  the  Governance 
of  Enterprise  IT® 


Grandfathering  is  now  open. 


What’s  on  your  mind?  Security  leaders  discuss 
and  debate  at  www.csoonlme.com 


BLOG  POST 

Career  Problem: 
Perspective 
Stuck  in  the  Box 

THERE  ARE  MANY  reasons  to  focus  on 
your  basic  job  duties.  That’s  all  you  should 
be  doing  in  the  first  six  months  of  a  new  job. 
But  over  time,  you  need  to  start  thinking 
more  broadly. 

We  all  need  to  learn  the  power  of  the 
Pareto  principle— which  states  that  80  per¬ 
cent  of  the  effect  of  our  work  comes  from  20 
percent  of  the  causes.  In  John  C.  Maxwell’s 
book,  Leadership  101,  he  describes  the  power 
of  the  Pareto  principle  at  work.  Here  are  a 
few  examples: 

■  20  percent  of  your  time  produces  80 
percent  of  your  results 

■  20  percent  of  people  take  up  8o  percent 
of  your  time 

■  20  percent  of  your  work  gives  8o  per¬ 
cent  of  your  job  satisfaction 

■  20  percent  of  people  will  make  8o 
percent  of  the  decisions 

■  20  percent  of  the  presentation  pro¬ 
duces  8o  percent  of  the  impact 
Maxwell  goes  on  to  point  out  that  we 

need  to  develop  skills  in  four  areas  to  be 
successful  and  maximize  our  effectiveness: 
attitude,  relationships,  equipping  and  lead¬ 
ership.  But  many  people  have  given  up  try¬ 
ing  to  improve  at  work.  They  have  decided 
that  they  will  continue  going  through  the 
motions  for  the  next  decade  or  more  until 
they  retire.  They  can  do  their  job  fairly  well, 
but  they  either  can’t  or  won’t  put  forth  the 
effort  required  to  move  to  the  next  level  as  a 
security  leader.  They  have  occasional  good 


days,  but  their  jobs  long  ago  lost  any  real 
sense  of  purpose  or  excitement  for  them. 
They  come  to  work  just  for  the  paycheck. 

Skeptics  might  respond  by  asking: 
What’s  wrong  with  a  good  day’s  work  for  a 
decent  salary?  Not  everyone  wants  to  go  the 
extra  mile  or  move  up  (or  branch  out).  No 
doubt,  some  staff  want  to  do  just  enough. 

But  inside-the-box  thinking  will  limit 
your  personal  and  organizational  effec¬ 
tiveness— whatever  your  role.  Mediocrity 
(or  worse)  can  spread  and  undermine  the 
entire  security  team  and  business.  When 
new  paradigms  arise  or  the  industry 
changes,  you  will  be  left  behind  as  others 
forge  ahead. 

So  how  can  we  avoid  this  career  dead 
end?  What  is  outside-the-box  thinking  in  a 
security  context?  Most  important,  how  can 
all  of  us  gain  a  wider  perspective  to  help  our 
careers  and  our  business  clients? 

Solution:  Move  Beyond 
Your  Position  Description 

HERE  ARE  TEN  pragmatic  strategies  to 
help: 

1)  First  and  foremost,  understand  that 
the  box  placed  around  your  position  is  a 
good  thing  that  must  be  respected.  Always 
complete  your  stated  duties  and  objectives 
and  be  s  ure  to  meet  or  exceed  these  expecta¬ 
tions.  This  is  your  first  priority.  Note:  Staff 
not  completing  their  basic  tasks  are  often 
seen  as  lazy  and  not  respected. 

2)  Volunteer  for  key  committees  or 
important  ad  hoc  teams.  This  may  be  a 
Tiger  Team  for  some  essential  executive- 
sponsored  project.  Or  you  may  just  become 
the  organizer  for  the  office  Christmas  party. 
Strive  to  lead,  deliver  and  exceed  expecta¬ 
tions  in  these  roles. 

3)  Generate  good  ideas.  Look  for  organi¬ 


zational  needs  that  aren’t  being  met.  Think 
ahead  to  upcoming  challenges  and  technol¬ 
ogies.  Discuss  these  problems  and  potential 
low-cost  solutions  with  your  management. 
Don’t  be  a  complainer,  but  ask  to  be  put  in 
charge  of  implementing  the  fix. 

4)  If  you  are  thinking,  “I  tried  number 
three  once,  but  no  one  listened,”  then  try 
again.  Repackage  your  ideas.  Maybe  it  was 
the  wrong  time  for  your  solution. 


6  www.csoonline.com  June  2010 


Photo  by  iSockphoto.com 


5)  Find  out  how  you  can  help  make  your 
boss’s  boss  successful.  What  are  his/her 
priorities?  Discuss  opportunities  to  work 
on  those  projects  with  your  supervisor. 

6)  Think  beyond  your  own  organization. 
What  industrywide  opportunities  can  you 
take  advantage  of?  Can  your  government  or 
company  partner  with  others  to  provide  a 
better  service  at  a  lower  cost?  Talk  to  oth¬ 
ers  who  you  respect  if  you  are  unsure  about 
your  ideas. 

7)  What  external  industry  groups  will 
add  value?  Get  involved  or  even  lead  these 
groups.  Build  cross-boundary  partner¬ 
ships.  Think  medium-  or  long-term  about 
possibilities,  but  stay  pragmatic  and  look 
for  tangible  results. 

8)  What  security  skills  or  functions  will 
be  needed  in  the  future  in  your  office?  What 
is  lacking  now?  Obtain  those  skills  or  offer 
to  provide  training  and  mentor  others  if 
you  already  have  those  skills. 

9)  Be  known  as  the  “go  to”  person  in 
the  office  for  specific  answers.  Start  a 
blog  or  wiki.  Don’t  hoard  knowledge,  but 
freely  give  it  away.  This  will  build  trust  and 
respect  all  around. 

10)  Start  a  brown-bag  lunch  series  to 
share  knowledge  if  work  time  for  new  ideas 
and  approaches  is  limited. 

When  I  discuss  these  approaches 
with  others,  I  am  often  asked  for  practical 
examples  that  I  can  share  from  my  career. 
So  here  are  two  examples  to  illustrate  out- 
side-the-box  thinking,  taken  from  my  years 
as  Michigan’s  CISO.  In  each  case,  I  took  a 
calculated  risk  at  work  which,  by  the  grace 
of  God,  turned  out  to  provide  many  more 
benefits  than  I  initially  expected.  None  of 
these  duties  were  listed  in  my  job  descrip¬ 
tion.  However,  these  activities  became  vital 
to  our  security  team’s  success.  It  is  also  true 
that  I  was  blessed  to  work  for  CIOs  who 
saw  the  potential  benefits  and  supported 
my  ideas. 

Emergency  Management  (EM) 
Coordinator:  I  became  Michigan’s  first 
statewide  CISO  in  May  2002.  I  was  also 
the  director  of  enterprise  security  within 
the  newly  created  Michigan  Department  of 
Information  Technology  (MDIT).  After  see¬ 
ing  the  need  for  a  department  emergency 
management  coordinator,  I  volunteered  for 
this  role  and  became  the  technology  depart¬ 
ment’s  liaison  with  the  state  police  for  all  of 
Michigan’s  declared  emergency  situations. 


HOWTO 

REACH 


You  can  contact  us 
directly  or  post  your 
thoughts  on  specific 
articles  and  blogs  at 
www.CSOonline.com. 

Derek  Slater,  Editor  in  Chief 
dslater@cxo.com 
508  935-4213 
Twitter:  @derekcslater 

Bill  Brenner,  Senior  Editor 
bbrenner@cxo.com 
508  988-7587 
Twitter:  @billbrenner70 

Joan  Goodchild,  Senior  Editor 
jgoodchitd@cxo.com 
508  988-7994 
Twitter:  @msjoanieg 

Subscriber  Services 

Phone:  866  354-1125 
Fax:  847  564-9453 
E-mail:  cso@omeda.com 

Reprints  &  Permissions 

For  information  about  reprints 
and  copyright  permissions, 
please  contact  The  YGS 
Group,  800  290-5460,  ext. 

129,  cso@theygsgroup.com. 


During  the  Blackout  of  2003, 1  coordi¬ 
nated  our  department’s  response  to  this 
major  incident.  Our  department’s  success¬ 
ful  planning  improved  our  reputation  and 
led  to  numerous  new  relationships  and 
activities.  We  also  improved  emergency 
cyber  response  procedures  and  partici¬ 
pated  in  Cyberstorm  I  and  II.  We  obtained 
millions  of  dollars  in  Homeland  Security 
grants  for  cybersecurity.  Later,  we  built 
lasting  technology  and  process  improve¬ 
ments  into  the  responses  to  other  emer¬ 
gency  situations,  such  as  pandemics. 

Michigan  InfraGard  Executive 
Board  Member:  In  2004,  I  was  invited 
to  join  Michigan  InfraGard.  Initially,  I 
felt  I  was  too  busy  and  was  reluctant  to 
get  involved.  However,  after  attending 


a  meeting,  I  saw  the  potential  benefits. 
Washington,  D.C.,  was  calling  for  more 
public-private  partnerships  on  Homeland 
Security  matters.  Over  time,  I  came  to  see 
that  this  group  could  help  Michigan  com¬ 
panies  and  overall  emergency  response  in 
important  ways,  including  critical  infra¬ 
structure  protection  (CIP)  measures.  Most 
critical  infrastructure  elements  are  owned 
and  operated  by  the  private  sector. 

I  joined  the  group,  and  over  a  six-year 
span  I  became  the  vice  president,  president 
and  chairman  of  the  board  for  Michigan 
InfraGard.  We  helped  organize  a  Great 
Lakes  CIP  conference,  which  was  the  first 
of  its  kind  in  the  nation  and  included  repre¬ 
sentatives  from  the  auto  makers,  the  chemi¬ 
cal  and  energy  sectors,  and  many  other 
businesses  in  the  state.  Michigan  InfraGard 
now  sponsors  many  cyber  and  other  events 
that  directly  correlate  with  the  Michigan 
CISO’s  wider  role. 

These  relationships  between  state 
and  local  government  and  the  private  sec¬ 
tor  have  become  vital  to  our  success  in 
achieving  daily  cyber-response  functions. 
Through  InfraGard,  I  became  personal 
friends  with  many  FBI  experts,  and  Michi¬ 
gan  has  developed  detailed  procedures  on 
cyber  incidents  with  the  criminal  justice 
community.  In  one  case,  information  pro¬ 
vided  by  our  security  team  led  to  an  arrest 
in  Europe. 

Our  InfraGard  relationships  now  help 
before,  during  and  after  the  response  to 
incidents.  Trent  Carpenter,  our  current 
CISO,  has  continued  as  a  Michigan  Infra¬ 
Gard  executive  board  member  and  is  also 
our  department’s  EM  coordinator. 

In  conclusion,  each  of  us  has  opportu¬ 
nities  to  think  outside  the  box  every  day  at 
home  and  work.  One  of  my  favorite  John  C. 
Maxwell  quotes  is  this:  “To  reach  the  high¬ 
est  level  of  effectiveness,  you  have  to  raise 
the  lid  of  leadership  ability.” 

And  to  lead,  you  need  to  think  differ¬ 
ently.  Wherever  you  are  today,  I  challenge 
you  to  move  beyond  the  box  placed  around 
your  role. 

—Dan  Lohrmann 


Read  the  rest  of 
Lorhmann’s  post  at  http:// 
blogs.csoonline.com/1198/ 
security_career_problem_7_ 
perspective_stuck_in_a_box 


June  2010  www.csoonline.com  7 


Edited  by  Bill  Brenner 


The  Evil  Men 
(Can)  Do  with 
Embedded 
Systems 

Embedded  IT  infrastructure  is 
everywhere  and  full  of  holes 
that  evildoers  can  use  for  world 
domination.  But  SecurityFAIL.com 
aims  to  stem  this  tide. 

Forget  car  bombs  and  crude  atomic  devices. 
That’s  the  stuff  Dr.  Evil  would  use  to  fail.  To 
take  over  the  world,  bad  guys  are  better 
off  hijacking  embedded  systems. 

That’s  exactly  what  they’re  trying  to  do, 
and  there  are  plenty  of  vulnerabilities  for  them 
to  exploit,  including  the  systems  that  control 
the  flow  of  water  and  electricity  and  maintain 
the  equilibrium  of  sewage  treatment  and 
nuclear  power  plants. 

So  says  Paul  Asadoorian,  a  volunteer 
at  the  SANS  Institute,  founder  and  CEO  of 
PaulDotCom  and  host  of  a  popular  podcast  of 
the  same  name.  He  says  it’s  time  the  security 
community  did  something  to  blunt  the  threat, 
and  he  hopes  his  new  SecurityFAIL.com 
wiki  will  help  move  things  along. 

Think  of  it  as  something 
like  the  data  breach  list  the  Pri¬ 
vacy  Rights  Clearinghouse  keeps, 
except  the  items  listed  are 
embedded  system  flaws  instead 
of  who  suffered  the  latest  breach. 

There’s  not  much  on  the  wiki  right  now,  since 
it’s  brand  new.  But  Asadoorian  expects  people 
to  fill  it  up  quickly.  The  hope  is  that  critical 
infrastructure  providers  running  the  flawed 


technology  will  then  take  steps  to  fix  it  before 
the  bad  guys  make  an  example  of  them. 

He  explained  the  danger  he’s  trying  to  flag 
in  a  presentation  he  gave  at  SOURCE  Boston  in 
April.  “Using  embedded  systems  to  gain  power 
is  easy,"  he  says.  “Lots  of  information  flows 
through  them,  information  is  power,  and  the 
ability  to  manipulate  information  is  powerful. 
Multiple  computers  can  be  controlled  at  once.” 

When  picturing  embedded  systems,  don’t 
limit  your  thinking  to  big  critical  infrastructure. 
The  damage  can  begin  with  your  own  laptop  or 
the  video  game  you  play  religiously. 

Asadoorian  offered  a  few  examples  of  how 
embedded  systems  are  used  to  make  money: 
Videogames:  Most  are  network-con¬ 
nected  and  involved  in  commerce. 

Entertainment:  Things  like  Apple  TV 
and  Roku  all  link  back  to  your 
credit  card. 

Wireless  routers:  These 
route  your  traffic  when  you’re 
doing  online  banking,  using 
PayPal,  etc. 

Printers/faxes:  How  many 
times  have  you  printed  sensitive  information? 

The  benefits  of  attacking  embedded 
systems  are  myriad,  he  says:  No  one  pays 
attention  to  them  until  they  break,  security 


and  logging  are  often  sacrificed  to  save  money, 
and  there’s  often  no  interactive  user  to  deal 
with.  “Embedded  systems  contain  vulnerabili¬ 
ties  that  go  unnoticed  [because]  vendors  are 
focused  on  profit,  which  never  equals  security,” 
Asadoorian  said. 

In  one  chilling  part  of  his  presentation,  he 
pointed  out  that  researchers  scanning  the 
Internet  for  vulnerable  embedded  devices 
have  found  nearly  21,000  routers,  webcams 
and  voice-over-IP  products  that  are  open  to 
remote  attack.  Their  administrative  interfaces 
are  viewable  from  anywhere  on  the  Internet, 
and  their  owners  have  failed  to  change  the 
manufacturers’  default  passwords. 

So  if  Dr.  Evil  smartened  up  and  decided  to 
go  after  this  target-rich  environment,  what 
might  he  do?  Asadoorian  offered  up  the  follow¬ 
ing  possibilities: 

■  Use  Google  to  find  the  most  popular  ISPs 
that  provide  cable  modem  routers  to  users. 

■  Use  the  American  Registry  for  Internet 
Numbers  to  discover  the  IP  address  ranges 
assigned  to  ISPs. 

■  Use  Nmap  to  discover  all  devices  that  have 
Port  80  open  and  identify  the  service. 

■  Manually  poke  through  the  results  and  find 
“interesting  stuff.” 

Enter  SecurityFAIL.com,  a  public  wiki 
where  the  security  community  can  write  mini¬ 
articles  on  security  failures  to  put  pressure  on 
providers  to  address  flaws.  In  its  debut  section 
on  embedded  security,  participants  can  offer 
up  anecdotes  about  how  such  systems  have 
failed  them  personally. 

Contributors  will  have  to  sign  up  for  an 
account,  and  Asadoorian  says  registration 
will  be  active  in  a  few  weeks.  In  the  meantime, 
those  interested  in  getting  started  can  e-mail 
him  a  request  or  send  stories  anonymously  for 
him  to  post. 

-Bill  Brenner 


a  www.csoonline.com  June  2010 


CHANGES  HAPPEN.  BREACHES  HAPPEN.  AUDITS  HAPPEN. 


p] 

I  I  jl 

TAKE  CONTROL  WITH  THE 

TRIPWIRE'  VIA  SUITE 


Tripwire  VIA  is  the  only  solution  that  integrates  both  change  and 
event  data  to  help  reduce  the  breach-to-detection  time  gap.  This 
powerful  combination  helps  your  organization  prove  continuous 
compliance,  protect  sensitive  data  and  prevent  outages. 

Tripwire  VIA  changes  everything. 


Find  Out  More  at:  VIACHANGESEVERYTHING.COM 


THE  TRIPWIRE  VIA  SUITE 

CHANGES  EVERYTHING 

The  Tripwire  VIA  suite  includes  Tripwire  Enterprise  and  Tripwire  Log  Center.  It  is  the  only  solution 
that  integrates  both  change  and  event  data.  Make  the  move  to  Tripwire  VIA.  And  TAKE  CONTROL 


tripwire 

ENTERPRISE 


tripwire 

«>L0G  CENTER 


Tripwire  Enterprise  helps  IT  tackle 
security,  change  and  configuration 
control  challenges  head-on. 


Tripwire  Log  Center  is  an  all-in-one 
log  and  event  management  solution 


Find  Out  More  at:  VIACHANGESEVERYTHING.COM 


b  ■■ 


CHANGES  HAPPEN. 
BREACHES  HAPPEN 
AUDITS  HAPPEN. 


TAKE  CONTROL  WITH  THE  ALL-IN-ONE  SOLUTION 


FOR 


SECURITY 


AND 


COMPLIANCE 


'lE 


1 


r-  §ii|  \  % 


Introducing  the  Tripwire®  VIA  Suite 


Tripwire  VIA  is  the  automated  compliance  solution  that 
provides  IT  leaders  with  the  power  to  take  control.  It’s  the 
only  solution  that  integrates  both  change  and  event  data  to 
help  reduce  the  breach-to-detection  time  gap.  Unlike  siloed 
tools,  this  powerful  combination  helps  your  organization 
prove  continuous  compliance,  protect  sensitive  data  and 
prevent  outages.  Tripwire  VIA  changes  everything. 

VISIBILITY  into  events  across  your  entire  infrastructure 
INTELLIGENCE  transforms  data  noise  into  actionable  information 
AUTOMATION  frees  your  staff  for  strategic  projects 


tripwire 

^ENTERPRISE 


Tripwire  Enterprise  helps  IT  tackle  security,  change, 
and  configuration  control  challenges  head-on. 


tripwire 

OLOG  CENTER 


Tripwire  Log  Center  is  an  all-in-one  log  and  event 
management  solution. 


©2010  Tripwire,  Inc.  Tripwire  is  a  registered  trademark  and  VIA  a  trademark  of  Tripwire,  Inc.  All  rights  reserved. 


Find  Out  More  at:  VIACHAN6ESEVERYTHING.COM 


>>  BRIEFING 


APPLICATION  SECURITY 


FROM  MICROSOFT  TO 
ADOBE  INSECURITY: 
ONE  MAN’S  JOURNEY 


arc  Maiffret  spent  the  early  part  of  his  career  shedding 
light  on  major  Microsoft  vulnerabilities.  In  his  new  gig, 
the  names  have  changed  but  not  the  threats. 

As  co-founder  and  CTO  of  eEye  Digital  Security,  Maif¬ 
fret  spent  much  of  his  time  immersed  in  the  world  of  Microsoft 
insecurity.  When  there  was  a  large  zero-day  vulnerability,  eEye 
was  usually  among  the  first  to  find  it. 

He  left  that  job  three  years  ago.  In  that  time,  Microsoft  has 
gained  newfound  respect  for  security  while  other  popular  soft¬ 
ware  vendors  are  being  fingered  for  making  the  same  mistakes.  In 
an  interview  with  CSO,  two  names  came  to  mind  for  Maiffret,  now 
chief  security  architect  at  FireEye:  Adobe,  which  faces  growing 
criticism  for  widely  exploited  flaws  in  its  software,  and  Apple, 
which  is  increasingly  the  focus  of  malware  writers. 

What's  your  take  on  the  security  vendor  community 
today? 

Maiffret:  When  you  look  at  the  industry  and  the  mainstay 
players,  they’ll  even  tell  you  that  their  [malware]  signature 
technology  doesn’t  work  anymore  but,  “Hey,  we  have  this  great 
behavior-anomaly  technology!”  What  they  don’t  tell  you,  and 
what  the  IT  community  can  see,  is  that  with  those  technologies, 
you  are  either  at  one  end  of  the  spectrum  or  the  other.  If  you  tune 
the  technology  up,  you  may  catch  a  lot  of  things,  but  that 
includes  a  lot  of  false  positives.  At  the  other  end,  the 
admins  tune  it  down  to  reduce  the  false  positives, 
but  then  they  end  up  missing  stuff.  At  the  end  of  the 
day,  you  really  can’t  have  either  of  these  scenarios, 
but  everyone  knows  we  can’t  have  a  utopia,  either. 

The  reality  is  that  we’re  at  the  point  where  it’s  not 
even  the  sophisticated  attacks  that  cause  all  the 
problems.  We’re  seeing  it  with  everyday 
spyware.  It’s  very  hard  to  tell  the  two 
apart,  from  a  threat  perspective.  In 
the  process,  we’ve  seen  a  massive 
failure  of  the  vendor  community  to 
grasp  these  things. 

We  used  to  talk  a  lot  about 
Microsoft’s  security  prob¬ 
lems.  How  are  they  doing 
now?  I  think  a  lot  of  people  are 
surprised  that  I’ve  become  one 
of  the  big  advocates  of  saying 
Microsoft  is  getting  a  lot  of 
things  right.  They’re  not  perfect, 
but  their  approach  to  secure  code 
has  really  come  along.  A  few  years 
ago,  I  gave  a  talk  called  “More  than 
a  Microsoft  World”  where  I  tried  to 


30,000 

Individual  pieces  of 
malware  that  the 
VRT  collects  daily. 


Proportion  of  the 
VRT’s  daily  malware 
samples  that  are  of 
the  traditional,  run- 
of-the-mill  variety. 


Fraction  of  the 
samples  that  are 
exploitable  malware. 


*»* ; 


wake  people  to  the  fact  that 
they  weren’t  always  going  to  be 
worrying  about  just  Microsoft 
and  Patch  Tuesday  in  the  years 
to  come,  but  also  Adobe,  Apple, 
and  so  on.  There  are  so  many 
third-party  applications  on  the 
desktop  to  worry  about  now. 

A  lot  of  security  practi¬ 
tioners  compare  the  Adobe 
of  today  to  the  Microsoft 
of  yesterday.  I  think  the  first 
articles  saying  Adobe  is  a  bigger 
threat  than  Microsoft  was  some¬ 
thing  we  only  started  seeing  six 
months  ago.  The  code  security 
isn’t  there.  The  IT  controls  aren’t 
there.  The  bad  guys  are  in  full 
swing  taking  advantage  of  these 
kinds  of  weaknesses,  and  the 
security  vendors  are  playing 
catch-up. 

Adobe  does  have  a  visible 
security  division.  Do  you 
think  this  is  really  about 
a  changing  landscape 
everyone's  struggling 
with?  It’s  funny,  but  you 

can  almost  see  a  pattern  among  companies  when  the 
security  spotlight  is  first  thrust  upon  them.  They  suddenly 
find  themselves  in  the  crosshairs,  and  the  first  thing 
^  they  do  is  deny,  passing  it  off  as  a  marketing  prob- 
fflk  lem.  Luckily,  in  the  case  of  Apple  and  Adobe,  they 
llgB  seem  to  have  moved  past  that  stage,  and  they’ve 
BE  been  staffing  up  on  the  security  side.  But  Adobe 
is  still  in  its  infancy  in  terms  of  having  a  solid 
security  process  in  place.  But  it  took  many  black 
eyes  and  many  years  for  Microsoft  to  get  it. 
Many  people  see  Apple  as  more  secure 
than  a  company  like  Microsoft.  What’s  your 
view?  Most  people  in  the  Apple  world  have  a 
false  sense  of  security  and  an  elitism.  I  took 
some  heat  recently  for  saying  Apple  was  way 
behind  Microsoft  on  security.  Look  who  they 
just  hired  for  security-window  Snyder,  who 
played  a  lead  role  in  helping  Microsoft  turn 
around  its  security.  That  shows  the  company 
startingto  move  pastthe  denial.  -B.B. 


BY  THE  NUMBERS 

This  month’s  numeric 
breakdown  is  based 
on  research  gath¬ 
ered  from  Source- 
fire’s  Vulnerability 
Research  team  (VRT). 


Quantity  of  malicious 
binary  intercepted 
daily  by  the  VRT. 


m 


10  www.csoonline.com  June  2010 


Photo  courtesy  Marc  Maiffret 


LOSS  PREVENTION 


Five  Top  Tactics  in 
Retail  Theft  Today 

While  the  lousy  economy  of  the  past  two  years  certainly  hit  retailers 

hard  in  the  form  of  slow  business,  many  stores  had  another  problem  to 
contend  with  as  well:  increased  theft.  Last  year  was  “the  perfect  storm 
in  retail  shrink,”  according  to  Derek  Rodner,  vice  president  of  product 
strategy  at  Agilence,  a  maker  of  retail-loss-prevention  products. 

“The  economy  wasn’t  doing  well,  and  because  business  took  a  hit,  retailers 
stopped  spending  on  new  projects  and  on  any  unnecessary  expenditures-and  a 
lot  had  to  lay  off  nonessential  employees,”  he  added. 

That  meant  fewer  eyes  in  the  store  to  prevent  shrink.  “Theft  is  always  a 
problem,  but  became  exacerbated  in  this  climate,”  said  Rodner. 

But  retail  theft  has  changed  in  the  past  few  years.  Smash-and-grabs  or  hid- 

Iing  stolen  items  in  a  bag  are  no  longer  the  most  common  ways  con  artists  rip  off 
retailers.  Now  a  fair  amount  of  shrink  comes  from  internal  fraud,  as  well  as  orga¬ 
nized  retail  crime.  Rodner  laid  out  the  most  common  ways  tech-savvy  criminals 
are  getting  away  with  goods  today. 

Web  sites  like  Grocerygame.com  are  hugely  popular  with  shoppers. 

Such  sites  allow  people  to  find  coupons  and  big  sales  and  then  time  their  pur¬ 
chases  so  they  reap  huge  savings.  But  the  popularity  of  online  coupons  has  also 
spawned  an  explosion  of  counterfeit  discounts,  Rodner  said. 

Self-checkout  lines  have  become  common  in  grocery  chains  and  even 
in  some  drug  and  department  stores.  While  research  finds  that  the  fear  of 
making  a  mistake  causes  most  people  to  be  scrupulously  honest  when  using  self¬ 
checkout,  their  good  behavior  makes  stealing  easier. 

“The  self-checkout  has  got  this  weird  dynamic  going  for 
it,”  said  Rodner.  “Overall  shrink  is  lower  at  those 
checkouts.  But  the  employees  that  monitor 
the  self-checkout  lines  are  so  used  to  the 
machine  hanging  up,  it’s  become  like  a 
car  alarm;  no  one  thinks  much  of  it.” 
As  a  result,  workers  monitoring 
two  or  three  self-checkout  lines 
from  a  podium  tend  to  allow  an 
item  to  go  through  even  if  the 
machine  doesn’t  register  it.  This 
lack  of  attention  works  to  a 
thief’s  advantage. 

Self-checkout  is  relatively 
new,  but  sweethearting  is  as 
old  as  retail  itself,  although 
the  techniques  have  been 
updated  for  the  bar  code  era. 

:or  example,  a  customer  goes  through 
checkout  line  with  an  expensive  bag  of 
and  the  person  operating  the  register 
(a  friend  of  the  con  artist)  runs  through  a  bar  code 
for  a  much  less  costly  item. 

Refund  fraud  occurs  frequently  in  department  stores  and  has  been 
made  more  lucrative  by  the  increased  popularity  and  availability  of  gift 
cards.  “A  sales  associate  gets  a  dress  for  $100  off  the  rack,  processes  the  refund 
for  $100  and  then  puts  the  money  on  a  gift  card.” 

-Joan  Goodchild 


I 

le 
P. 


SECURITY  WISDOM  WATCH 

Social 

Networking, 

Stupidity 

Edition 

It's  all  thumbs  down  this 
month,  thanks  to  the 
recent  state  of  affairs  in 
the  social  media  world. 

Bill  Brenner  explains. 

Facebook:  True,  Facebook 
users  shoot  themselves  in  the 
foot  all  the  time  by  sharing 
too  much  information.  But 
Facebook  is  making  things  worse 
by  continually  monkeying  around 
with  the  privacy  settings,  making  it 
increasingly  impossible  for  users  to 
tell  who,  exactly,  has  access  to  their 
information. 

Foursquare:  The  platform  is 
billed  as  a  way  for  people  to 
connect  more  effectively  geo¬ 
graphically  and  find  the  closest 
coffee  shops,  bars  and  the  like.  But 
the  more  we  look  at  it,  the  more  it 
comes  off  as  nothing  more  than  a  tool 
for  would-be  kidnappers  and  stalkers. 

Twitter:  In  an  effort  to  be 
more  like  Foursquare,  Twitter 
decided  to  add  a  function  that 
lets  users  tell  everyone  exactly 
where  they’re  tweeting  from.  Did 
we  mention  yet  that  we  don’t  like  that 
about  Foursquare? 

Linkedln:  This  one  is  still  best 
in  terms  of  locking  down  the 
user’s  privacy.  But  very  subtle 
and  quiet  design  changes  along 
the  way  are  giving  users  increasing 
opportunities  to  get  themselves  into 
the  kind  of  trouble  they  now  get  into 
via  Facebook.  -B.B. 


Illustration  by  Getty  Images 


June  2010  www.csoonline.com  11 


>>  BRIEFING 


PHYSICAL  SECURITY 


Times  Square 
Bomb  Scare  May 
Mean  New  Levels 
of  Security 


As  the  events  related  to  the  attempted  car  bombing 
in  Times  Square  unfold,  John  Timoney  is  watching. 

Timoney,  now  senior  vice  president  of  consulting  and 
investigations  at  security  firm  Andrews  International, 
spent  29  years  with  the  New  York  City  Police  Department, 
achieving  the  rank  of  first  deputy  police  commissioner. 

Timoney  was  on  the  NYPD  during  the  1993  World  Trade 
Center  bombing  attacks  and  was  called  upon  to  testify 
about  security  before  the  9/11  Commission.  CSO  asked 
Timoney  about  his  impressions  of  what’s  going  on  in  New 
York,  and  how  this  latest  bombing  attempt  might  affect 
security  operations  both  there  and  around  the  country. 

As  you’ve  been  watching  events  unfold  in  the 
attempted  bombing  of  Times  Square,  what  stands  out? 

John  Timoney:  In  the  last  three  or  four  terrorist 
attempts,  it  has  been  people  who  have  lived  in  America. 

Going  back  to  the  Christmas  Day  bombing  attempt  on  an 

aircraft,  to  the  shootings  at  Fort  Hood,  these  are  people 

who  have  resided  in  America  or,  in  the  case  of  the  Christmas  attempted 

bombing,  were  schooled  in  America.  They  don’t  fit  easily  into  any  kind  of 

a  profile.  They  don’t  have  any  kind  of  pedigree  where  they  are  going  to 

come  up  on  the  radar  screen. 

The  real  problem  with  this  guy  accused  of  planting  the  bomb  in 
Times  Square  is  he  has  gone  through  the  process  of  naturalization.  The 
assumption  is  that  once  someone  becomes  a  full-fledged  American, 
they  swear  loyalty  to  the  country.  But  apparently  that’s  not  the  case. 

There  may  be  a  tendency  here  to  be  too  proud  of  ourselves  for 
managing  to  assimilate  Arab-Americans  into  mainstream  society.  You 


SOCIAL  NETWORKING 

Facebook  Security  Flaw 
Makes  Private  Chats  Public 

Facebook  is  dealing  with  the  fallout  of  a  security  hole  that  enabled 
users  to  see  what  their  friends  were  saying  to  others  during  private 
chats. 

Facebook  confirmed  last  month  that  a  security  flaw  allowed  many 
users  to  see  the  private  conversations  of  their  friends. 

The  exploit  was  first  reported  on  TechCrunch,  complete  with  a  video 
demonstration  of  how  it  works.  Facebook  disabled  the  chat  feature  on  the 
site  while  it  dealt  with  the  situation.  In  a  statement  to  the  press,  Facebook 
officials  said  they  were  aware  of  the  problem. 

“For  a  limited  period  of  time,  a  bug  permitted  some  users'  chat  mes¬ 
sages  and  pending  friend  requests  to  be  made  visible  to  their  friends 
by  manipulating  the  ‘preview  my  profile'  feature  of  Facebook  privacy 
settings,”  the  statement  read.  “When  we  received  reports  of  the  problem, 
our  engineers  promptly  diagnosed  it  and  temporarily  disabled  the 
chat  function.  We  also  pushed  out  a  fix  to  take  care  of  the  visible  friend 
requests  which  is  now  complete.  Chat  will  be  turned  back  on  across 
the  site  shortly.  We  worked  quickly  to  resolve  this  matter,  ensuring 
that  once  the  bug  was  reported  to  us,  a  solution  was  quickly  found  and 
implemented.” 

There  was  no  word  on  how  many  Facebook  users  were  affected  by 
the  flaw. 

Facebook  has  been  the  subject  of  criticism  lately  over  security  lapses, 
as  well  as  policy  changes  that  call  user  privacy  into  question.  -J.G. 


don’t  see  the  kind  of  isolation  here  that  you  see  in  some  parts  of  Europe. 
I  think  we  may  have  been  too  self-satisfied  that  we  didn’t  have  the  prob¬ 
lems  they  have  in  some  countries.  But  with  this  person  and  others,  they 
are  not  part  of  central  al-Qaida.  it  looks  like  these  so-called  average 
Americans  are  susceptible  to  the  stuff  they  find  on  the  Internet.  They 
don’t  have  to  go  to  Pakistan  or  the  Middle  East  to  get  radicalized.  And  it 
opens  a  new  chapter  for  us  on  what  are  some  of  the  problems  we  face. 

The  bombing  attempt  in  Times  Square  really  mirrors  the  kind 
of  public-space  attacks  seen  in  countries  that  have  historically 
dealt  with  these  kinds  of  terrorist  acts  on  a  regular  basis.  What 
are  the  implications  for  security  now  in  the  United  States?  On  the 
front  end,  in  terms  of  prevention,  the  best  way  is  to  have  some  kind  of 
informant.  Unfortunately,  I  think  we  need  to  expand  the  use  of  infor¬ 
mants.  Also,  clearly,  in  highly  attractive  targets,  in  any  popular  area,  in 
any  iconic  building  or  structure,  the  more  physical  security  you  have  in 
terms  of  guards,  the  better  off  you  are. 

There  is  also  the  use  of  CCTV  cameras.  Here  in  the  United  States,  we 
are  a  little  behind  the  times.  If  you  want  to  see  how  effective  a  camera 
is,  go  to  Israel  or  Northern  Ireland,  where  they  deal  with  this  regularly. 
When  a  bombing  occurs,  these  cameras  are  critical  in  assisting  investiga¬ 
tors  in  getting  to  the  bottom  of  the  conspiracy  rather  quickly.  You  don’t 
have  to  waste  time  trying  to  figure  out  what  the  person  looked  like  or 
wondering  if  there  were  witnesses.  While  they  may  not  prevent  [attacks], 
they  are  a  deterrent. 

Police  constantly  talk  about  the  public-the  average  citizen-as  the 
eyes  and  ears  for  the  police.  I  think  what  we  saw  the  other  night  in  New 
York  was  a  street  vendor  acted  immediately  when  he  saw  something  suspi- 
ciousandgotthe  policethere.  They  were  abletoget  it  undercontrol.  -J.G. 


12  www.csoonline.conn  June  2010 


Photo  by  AP 


APPLICATION  SECURITY 


Inside  Oracle’s  Security 
Assurance  Program 

Oracle  CSO  Mary  Ann  Davidson  outlines  her  company's  evolving  secure  coding  effort 


racle  has  had  its  share  of  criticism 
this  past  decade  over  coding  holes 
that  led  to  many  a  critical  patch 
update.  As  a  result,  CSO  Mary  Ann 
Davidson  has  worked  to  change  her  com¬ 
pany’s  code-writing  culture. 

How  well  that  has  gone  is  in  the  eye  of 
the  beholder-customer.  But  at  the  recent 
Source  Boston  conference,  Davidson 
outlined  specific  things  Oracle  has  done  to 
make  security  a  priority  from  the  start  of 
the  product  development  process. 

She  acknowledged  that  customers 
have  come  down  hard  on  Oracle  to  do 
better  in  recent  years,  especially  in  the 


aftermath  of  acquisitions  like  that  of  Sun 
Microsystems,  a  deal  Davidson  described 
as  a  boa  constrictor  swallowing  an 
elephant. 

“Flaws  can  limit  accountability,  make 
it  easier  for  someone  to  corrupt  systems 
internally,  and  falsify  measurement  and 
reporting,"  she  said.  “It’s  bad  if  there’s 
a  defect  in  your  software.  It’s  worse  if  a 
customer  gets  breached  while  you  are 
hosting  a  service  for  them.” 

She  noted  that  a  growing  number  of 
customers  want  third-party  organizations 
to  look  at  Oracle’s  code. 

They  want  to  know  exactly  what  Oracle 
is  doing  for  security,  she  said,  adding  that 
as  business  becomes  more  regulated, 
the  burden  on  the  vendor  as  a  supplier  is 
heavier  than  ever. 

As  Oracle  has  acquired  more  technol¬ 
ogy,  that  pressure  has  been  amplified. 
When  a  team  was  identified  as  struggling, 
‘we  said,  ‘You  need  to  get  with  the  pro¬ 
gram.  This  is  your  cure  plan.  This  product 
needs  to  be  brought  into  alignment.”’ 

The  leader  of  that  team  resisted  and 
thought  it  was  unimportant,  she  said.  As 
a  result,  that  person  felt  the  full  heat  of 
upper  management. 


So,  what  does  Oracle’s  coding  process 
look  like  these  days?  Davidson  painted  the 
following  picture: 

When  vulnerabilities  are  discovered, 
it  falls  to  the  original  product  developers 
to  fix  them.  The  idea  isn’t  to  punish  them, 
but  to  help  them  understand  the  impact 
of  their  actions  so  they  can  learn  from  the 
experience,  she  said,  adding,  “They  need 
to  understand  how  it  broke.” 

Though  not  punitive,  it  has  been  a 
powerful  motivator,  since  no  one  wants 
to  go  back  and  fix  something  because  it 
wasn’t  done  right  the  first  time. 

Each  product  group  has  to  work 
through  a  security  checklist  before  some¬ 
thing  is  released,  and  there  are  different 
checklists  for  different  groups.  Security 
assurance  policies  are  hammered  out  at 
the  C-level,  and  vulnerability-handling 
policies  are  developed  by  Davidson  and 
the  chief  corporate  architect.  A  security 
oversight  committee  meets  twice  a  year  to 
review  business  risk  and  security,  compli¬ 
ance  and  physical  security. 

“Each  development  organization  has 
a  security  lead,”  Davidson  said.  “There 
are  security  points  of  contact  within  each 
productcomponent.”  -B.B. 


“We 

wanted  to  help  our 
community  to  get  back 
the  Facebook  of  old,  when 
privacy  was  more  respected 
and  Facebook  was  a  trusted 
place  to  share  things  with 
friends  and  family." 

-Untangle  CEO  Bob  Walters  on  the 
app  his  company  developed  to  help 
users  straighten  out  complex 
privacy  settings 


Verbatim... 

Shots  heard  ’round 
the  security  world 


“If  lean  get  you  to 
install  anything,  I  own  the 
system  and  the  applications;  it 
does  not  matter  which  app." 

-MichaelGough.ownerofwebsiteSkypeTips.com 
and  author  of  Skype  Me!  From  Single  User  to  Small 
Enterprise  and  Beyond,  on  the  recent  surge 
of  worm  infections  targeting  Skype 


“Even 

if  you  turn  off 
cookies  and  you 
use  a  proxy  to  hide 
your  IP  address,  you 
could  still  be  tracked." 

-Peter  Eckersley,  EFF  senior 
staff  technologist,  on 
browser  security 


Photo  courtesy  Oracle 


June  2010  www.csoonline.coin  13 


By  Mary  Bran  del 


Cloud  Security:  Tools  and  Experiences 


As  cloud  computing  races  ahead,  security  is  playing  catch-up.  Here  are  practical 
considerations  and  strategies  from  cloud  thought  leaders  and  early  adopters. 


Cloud  computing  is  one  of  the 
most- discussed  topics  among 
IT  professionals  today.  And 
not  too  long  into  any  conver¬ 
sation  about  the  most  highly 
touted  cloud  models— software  as  a  service 
(SaaS),  infrastructure  as  a  service  (IaaS)  or 
platform  as  a  service  (PaaS)— the  talk  often 
turns  to  security. 

According  to  Milind  Govekar,  an  ana¬ 
lyst  at  Gartner,  cloud  has  rocketed  up  the 
list  from  number  16  to  number  two  in  Gart¬ 
ner’s  annual  CIO  survey  of  key  technology 
investments.  “Like  with  anything  new,  the 
primary  concern  is  security,”  he  says.  In 
fact,  the  vast  majority  of  clients  who  inquire 
about  cloud,  he  says,  would  rather  cre¬ 
ate  a  virtualized  data  center  on  their  own 
premises— what  some  call  a  private  cloud— 
because  they’re  uncomfortable  with  the 
security  issues  raised  by  cloud  computing 
and  the  industry’s  ability  to  address  them. 

“We  are  in  the  early  stages  of  a  fascinat¬ 
ing  journey  into  a  new  computing  model 
that,  for  all  its  purported  advantages,  from  a 
security  and  risk  point  of  view,  is  a  difficult 
thing  to  deal  with,”  agrees  Jay  Heiser,  an 
analyst  at  Gartner.  “The  things  that  make 
it  easy  and  appealing— like  the  immediate 
plug-and-play  productivity— also  make 
it  impossible  to  conclusively  assess  your 
relative  risks.”  Current  certifications,  such 
as  SAS  70  and  ISO  27001  and  27002,  are  not 
sufficient,  he  says,  leading  to  frustration  for 

14  www.csoonline.com  June  2010 


both  buyers  and  sellers. 

For  this  reason,  securing  cloud  comput¬ 
ing  environments  will  be  a  major  focus  of 
vendor  efforts  over  the  next  year,  says  Jona¬ 
than  Penn,  an  analyst  at  Forrester  Research. 
In  the  short  term,  he  sees  users  having  to  do 
a  lot  of  the  legwork,  but  over  time,  “cloud 
providers  themselves  will  see  the  oppor¬ 
tunity  to  differentiate  themselves  by  inte¬ 


grating  security,”  he  says.  Security  vendors 
accustomed  to  selling  directly  to  the  enter¬ 
prise  will  find  that  they  need  these  cloud 
providers  as  a  way  to  reach  the  market,  Penn 
says,  and  as  the  market  matures,  customers 
will  want  this  stuff  baked  into  the  services 
they’re  buying.  “That  will  be  quite  a  radical 
change  and  a  disruption,”  he  adds. 

In  the  meantime,  organizations  such  as 

Illustration  by  Jason  Schneider 


the  Cloud  Security  Alliance  (CSA)  are  work¬ 
ing  to  put  some  shape  around  the  security 
issues  and  the  ways  to  address  them.  The 
CSA  recently  released  a  summary  of  the  stra¬ 
tegic  and  tactical  security  pain  points  within 
a  cloud  environment,  along  with  recommen¬ 
dations  on  how  to  address  them.  The  organi¬ 
zation  divided  the  domains  into  two  broad 
areas:  governance  and  operations  (see  table). 


CSA’S  CLOUD  DOMAINS 


GOVERNANCE 

OPERATIONS 

Governance  and  enter¬ 
prise  risk  management 

Traditional  security, 
business  continuity 
and  disaster  recovery. 

Legal  and  electronic 
discovery 

Data  center  operations 

Compliance  and  audit 

Incident  response, 
notification  and 
remediation 

Information  lifecycle 
management 

Application  security 

Portability  and 
interoperability 

Encryption  and  key 
management 

identity  and  access 
management 

Virtualization 

Source:  Cloud  Security  Alliance 


The  CSA  also  summarized  the  top 
threats  of  cloud  computing,  along  with  the 
cloud  models  each  threat  most  pertains  to 
and  guidance  for  remediation. 


TOP  THREATS  BY  CLOUD  MODEL 


THREAT 

CLOUD  MODEL 

Abuse  and  nefari¬ 
ous  use  of  cloud 
computing 

IaaS,  PaaS 

Insecure  interfaces 
and  APIs 

IaaS,  PaaS,  SaaS 

Malicious  insiders 

IaaS,  PaaS,  SaaS 

Shared  technology 
issues 

IaaS 

Data  loss  or  leakage 

IaaS,  PaaS,  SaaS 

Account  or  service 
hijacking 

IaaS,  PaaS,  SaaS 

Unknown  risk  profile 

IaaS,  PaaS,  SaaS 

Source:  Cloud  Security  Alliance 


The  categories  of  tools  that  can  help 
address  these  threats  include  XML,  SOA 
and  application  security;  encryption  tools 


for  data  in  transit  and  at  rest;  smart  key 
management;  log  management;  identity 
and  access  management;  virtual  firewalls 
and  other  virtualization-management  tools; 
data-loss  prevention;  and  more.  “You’re 
translating  the  existing  security  archi¬ 
tecture  into  the  cloud,  so  there  are  a  lot  of 
different  tools  you’ll  need,  some  of  which 
already  exist  and  other  cases  where  you 
need  new  technology,”  Reiser  says. 

For  instance,  malware  scanning  tools 
will  need  to  look  specifically  for  emerging 
malware  that  targets  virtual  platforms; 
identity  management  systems  will  need  to 
authenticate  not  just  users  but  also  devices 
and  applications;  and  security  information 
management  (SIM)  systems  will  need  to  log 
billions  of  events  and  analytics. 

Forrester  also  released  a  list  of  ques¬ 
tions  that  enterprises  should  ask  to  secure 
their  cloud  implementation,  covering  the 
areas  of  security  and  privacy,  compliance, 
and  other  legal  and  contractual  issues. 


Source:  Forrester  Research 

Cloud  layers 

Experts  also  emphasize  that  the  level 
of  exposure  and  risk  for  the  three  cloud 
models  are  very  different,  and  the  way  of 
addressing  security  also  differs,  depending 
on  which  layer  you’re  engaging  with.  “The 
security  requirements  are  really  the  same, 
but  as  you  go  from  SaaS  to  PaaS  and  IaaS, 


the  level  of  control  you  have  over  security 
changes,”  says  Mike  Kavis,  founder  of 
Kavis  Technology  Consulting  and  CTO  at 
a  startup  company.  “From  a  logical  view, 
nothing  has  really  changed,  but  how  you 
physically  do  it  changes  dramatically.” 

SaaS.  As  the  CSA  explains,  with  SaaS, 
the  provider’s  applications  run  on  a  cloud 
infrastructure  and  are  accessible  through  a 
Web  browser.  The  consumer  does  not  man¬ 
age  or  control  the  network,  servers,  oper¬ 
ating  systems,  storage  or  even  individual 
application  capabilities. 

For  this  reason,  the  SaaS  model  inte¬ 
grates  the  most  functionality  directly  into 
the  offering,  with  the  least  consumer  exten¬ 
sibility,  and  “security  responsibilities  are 
almost  entirely  up  to  the  vendor,”  Reiser 
says.  “If  the  vendor  doesn’t  encrypt  data, 
it’s  not  encrypted.  If  there  isn’t  activity 
monitoring,  you  won’t  get  any.” 

PaaS.  With  PaaS,  consumers  create 
applications  using  programming  languages 
and  tools  supported  by  the 
vendor  and  then  deploy 
these  onto  the  cloud  infra¬ 
structure,  the  CSA  explains. 
As  with  SaaS,  the  consumer 
does  not  manage  or  control 
the  infrastructure— the 
network,  servers,  operat¬ 
ing  systems  or  storage— 
but  does  have  control  over 
the  deployed  applications 
and  possibly  the  applica¬ 
tion-hosting  environment 
configurations. 

There  are  fewer  cus¬ 
tomer-ready  or  built-in 
security  features  with  PaaS 
than  with  SaaS,  the  CSA 
says,  and  those  that  do 
exist  are  less  complete,  but 
there  is  more  flexibility  to 
layer  on  additional  security. 
This  means  users  need  to 
pay  attention  to  application 
security,  as  well  as  security 
issues  surrounding  the  management  APIs, 
such  as  authentication,  authorization  and 
auditing. 

IaaS.  Here,  consumers  can  provision 
processing,  storage,  networks  and  other 
fundamental  computing  resources,  as  well 
as  deploy  and  run  operating  systems  and 
applications,  according  to  the  CSA.  While 


ASK  PROVIDERS  ABOUT  THESE  KEY  ISSUES 


SECURITY  AND 
PRIVACY 

COMPLIANCE 

OTHER  LEGAL  AND 

CONTRACTUAL 

ISSUES 

Data  segregation 
and  protection 

Business  continu¬ 
ity  and  disaster 
recovery 

Liability 

Vulnerability 

management 

Logs  and  audit  trail 

Intellectual 

property 

Identity 

management 

Specific  require¬ 
ments  (PCI,  HIPAA, 

EU  privacy,  etc.) 

End  of  service 
support 

Physical  and  per¬ 
sonnel  security 

Auditing  agreement 

Data  leak 
prevention 

Availability 

Application  security 

Incident  response 

Privacy 

June  2010  www.csoonline.com  15 


>>  TOOLBOX 


they  don’t  manage  or  control  the  underly¬ 
ing  cloud  infrastructure,  they  do  have  con¬ 
trol  over  operating  systems,  storage  and 
deployed  applications,  and  possibly  limited 
control  of  select  networking  components, 
such  as  host  firewalls,  the  CSA  says. 

With  IaaS,  there  are  few  integrated 
security  capabilities  beyond  protecting  the 
infrastructure  itself,  but  there’s  enormous 
extensibility,  according  to  the  CSA.  This 
means  users  need  to  manage  and  secure 
operating  systems,  applications  and  con¬ 
tent,  typically  through  an  API. 

“A  lot  of  the  perimeter  security  is  han¬ 
dled  by  the  vendor,  but  they’re  giving  you 
access  to  virtual  machines,  so  you  still  have 
to  build  the  application  and  provide  the 
infrastructure  control,”  Kavis  says. 

With  IaaS,  virtualization  management 
is  a  big  concern,  says  Heiser,  particu¬ 
larly  when  it  comes  to  intrusion  detection 
and  the  integrity  of  partitioning  virtual 
machines.  “You  need  to  mediate  separation 
and  make  sure  they  don’t  interact  with  each 
other,”  he  says. 

Chris  Barber,  CIO  at  Wescorp,  says  he  is 
concerned  about  multitenancy  and  hyper¬ 
visor  vulnerabilities.  “Since  you  have  mul¬ 
tiple  users  on  a  single  physical  box,  there 
may  be  a  security  vulnerability  that  one 
user  could  somehow  access  another  user’s 
virtual  machine,”  he  says. 

In  the  real  world 

Perhaps  the  best  way  to  understand  cloud 
security  is  through  specific  examples.  Here’s 
a  peek  into  a  few  of  the  biggest  concerns  that 
users  have  and  how  they  handle  them. 

Cloud  model:  SaaS 

Security  concern:  Single  sign-on 

WHEN  LINCOLN  CANNON  was  hired  to 
months  ago  as  director  of  Web  systems  at  a 
1,500-employee  medical  device  company,  he 
wanted  to  help  the  marketing  department 
make  a  switch  to  Google  Apps  and  a  SaaS- 
based  training  application  called  eLeap,  in 
the  interests  of  lowering  development  costs 


and  improving  productivity. 

However,  there  were  some  concerns. 
Marketing  executives  didn’t  want  users  to 
have  more  than  one  log-in,  and  IT  wanted 
to  retain  access  control  over  the  applica¬ 
tions,  especially  when  it  came  to  adding 
new  employees  and  terminating  their 
accounts  when  they  left  the  company. 

Cannon  turned  to  a  single  sign-on  sys¬ 
tem  from  Symplified,  which  communicates 
with  Active  Directory  to  verify  the  creden¬ 
tials  of  the  user  who  is  trying  to  log  in  to  the 
cloud  application.  Google  Apps  uses  APIs 
to  offload  authentication  of  users  to  a  single 
sign- on  provider,  Cannon  says,  but  with 
eLeap,  the  system  needed  to  use  an  authen¬ 
tication  adapter. 

Either  way,  “it’s  kind  of  like  a  guard¬ 
ian,”  Cannon  says.  “To  get  to  our  instance 
of  eLeap  training  or  Google  Apps,  you  have 
to  authenticate  with  the  single  sign-on  pro¬ 
vider.”  And  it’s  synchronized  with  Active 
Directory.  “We  define,  through  Symplified, 
which  of  our  accounts  has  access  to  these 
SaaS  applications,  and  when  we  kill  the 
account  in  Active  Directory,  it  prevents 
anyone  from  using  that  account  to  access 
those  SaaS  applications,”  Cannon  says. 

The  Symplified  system  can  operate  in  a 
SaaS  model  itself,  but  the  device  company 
chose  to  implement  a  Symplified- managed 
router  behind  its  firewall.  It  did  this  because 
IT  didn’t  want  to  manage  user  accounts  and 
passwords  in  the  cloud.  “All  that  happens 
behind  the  firewall,”  Cannon  says. 

Cloud  model:  IaaS 

Security  concern:  Data  encryption 

AT  FLUSHING  BANK  in  New  York,  CIO 
Allen  Brewer  turned  to  the  cloud  for  data 
backup  after  getting  fed  up  with  on-site 
tape  backup.  Using  Zserver  from  Zecurion, 
Flushing  is  now  sending  files  over  the  Inter¬ 
net  to  be  stored  for  backup.  The  prime  con¬ 
cern  for  the  bank  was  data  encryption  and 
finding  a  provider  that  could  accommodate 
the  bank’s  already-developed  encryption 
algorithm.  “Some  rely  on  the  vendor  to  sup¬ 


ply  encryption,  but  we  do  our  own,”  Brewer 
says.  “Everything  we  send  and  store  is 
encrypted  at  the  vendor  site.” 

Several  providers  of  cloud-based 
backup  storage  install  appliances  at  the  cus¬ 
tomer  site  to  accommodate  encryption,  but 
Flushing  was  not  interested  in  that  setup. 
Brewer  also  chose  Zecurion  because  he 
knows  the  location  of  the  data  center  where 
his  information  is  stored.  “We  know  one  of 
their  three  data  centers  have  our  data— it’s 
not  just  sent  into  the  cloud  and  we  don’t 
know  where  the  data  is,”  he  says. 

Cloud  model:  Private,  on-site  cloud 
Security  concern:  Virtualization 

WHEN  MATT  REIDY,  director  of  IT  opera¬ 
tions  at  SnagAJob.com,  embarked  on  the 
company’s  three-year  technology  refresh, 
his  goal  was  to  move  from  a  75  percent 
virtualized  environment  to  a  too  percent 
virtualized,  private  secure-compute  cloud, 
using  Dell  blade  servers  running  VMware 
and  vSphere  at  the  core. 

As  a  high-growth,  entrepreneurially 
spirited  dotcom,  Reidy  says,  SnagAJob 
wanted  the  flexibility  of  a  cloud  model,  but 
“we  weren’t  ready  to  use  cloud  services 
from  other  vendors.  A  lot  of  stuff  we’ll  do 
will  wither  and  die  on  the  vine,  while  other 
things  will  take  off,  and  having  a  virtual 
cloud  infrastructure  will  enable  that  with 
minimal  talent  investment,  as  far  as  time 
spent  to  spin  new  things  up.” 

Before  the  technology  refresh,  SnagAJob 
had  a  multitier  infrastructure,  with  fire¬ 
walls  providing  physical  separation 
between  the  Web,  application  and  database 
layers.  Reidy  was  able  to  attain  too  percent 
virtualization  by  eliminating  the  physical 
firewalls  and  implementing  a  virtual  fire¬ 
wall  from  Altor  Networks.  The  only  place 
a  physical  firewall  will  continue  to  exist  is 
at  the  perimeter,  in  addition  to  an  intrusion 
detection  and  prevention  appliance. 

Before  vSphere  Version  4,  Reidy 
explains,  you  could  get  firewall  appliances 
running  as  virtual  machines,  but  “they 
were  severely  limited  in  their  performance, 
because  network  traffic  had  to  pass  through 
those  virtual  machines,”  he  says.  But  now, 
vSphere  includes  an  API  called  VMsafe 
that  enables  firewall  vendors  such  as  Altor, 
Checkpoint  and  others  to  move  traffic 
inspection  into  the  VMware  kernel. 

“It  improves  performance,  stability  and 


With  IaaS,  there  are  few  integrated 
security  capabilities  beyond  protecting  the 
infrastructure  itself,  but  there’s  enormous 

extensibility. 


16  www.csoonline.com  June  2010 


security  by  a  factor  of  10,”  Reidy  says. 

With  the  Altor  virtual  firewall,  Reidy’s 
team  can  also  see,  for  the  first  time,  what 
traffic  is  flowing  between  which  virtual 
machines,  including  protocols  and  data  vol¬ 
ume.  “That’s  a  challenge  in  the  virtual  cloud 
space— traditional  products  won’t  capture 
that,”  he  says.  “We’re  able  to  tighten  our 
security  more  because  we  can  see  what’s 
flowing  and  write  rules  based  around  what 
we  see  versus  what  we  think  is  going  on.” 
Other  products  that  enable  such  visibility, 
he  says,  include  Cisco  Systems’s  NetFlow 
and  Juniper’s  J-Flow,  as  well  as  an  open 
systems  standard  called  sFlow. 

Cloud  model:  laaS 

Security  concerns:  Virtualization, 

business  continuity,  auditing 

AT  HIS  STARTUP,  Kavis  has  chosen  to 
use  Amazon  to  host  his  entire  infrastruc¬ 
ture.  Before  doing  that,  he  sat  down  with 
a  security  specialist,  who  identified  all  the 
requirements  for  implementing  the  virtual 
machines.  Kavis  then  built  a  virtual  image 


applying  those  controls  and  created  a  snap¬ 
shot  that  he  can  replicate  anytime  he  needs 
to  set  up  a  new  virtual  machine.  “Amazon 
provides  you  with  the  virtual  image  soft¬ 
ware,  but  it  doesn’t  apply  the  security  to 
it,”  Kavis  says.  “With  PaaS,  that  would  all 
be  taken  care  of  for  me,  but  with  IaaS,  I  can 
build  the  security  to  the  level  I  want,  and 
I  have  a  lot  more  flexibility  over  what  the 
machine  is  doing.” 

Kavis  also  has  to  perform  all  the  func¬ 
tions  that  a  systems  administrator  would, 
such  as  opening  and  shutting  down  ports, 
writing  configurations  and  locking  down 
the  database,  which  he  does  using  the 
LAMP  stack,  provided  by  Amazon  out  of 
the  box.  Kavis  is  too  percent  comfortable 
with  the  perimeter  security  provided  by 
Amazon,  which  is  “at  a  level  very  few  com¬ 
panies  can  do,”  he  says. 

To  ensure  business  continuity,  Kavis 
replicates  everything  to  at  least  two  addi¬ 
tional  environments,  in  different  zones. 
“The  only  way  I  can  be  totally  down  is  if 
multiple  Amazon  zones  are  down,”  he 


says.  “And  Amazon  has  very  high  reliabil¬ 
ity  in  each  specific  zone,  so  we’ve  never  had 
everything  down  at  one  time.”  With  IaaS, 
he  emphasizes,  “it’s  up  to  me  to  build  an 
architecture  that  can  have  high  reliability.” 

One  concern  Kavis  has  yet  to  address 
is  auditing.  “Because  the  rules  haven’t 
changed  to  reflect  cloud  computing,  regula¬ 
tions  still  require  visits  to  the  physical  box, 
and  you  can’t  do  that  in  the  public  cloud,”  he 
says.  For  data  that  falls  under  compliance 
regulations,  Kavis  plans  to  use  a  virtual 
private  cloud.  “The  vendor  will  say,  ‘Here’s 
your  server,  locked  in  a  cage,  and  if  you  ever 
have  an  audit,  you  can  bring  in  the  auditors 
to  look  at  it.’  We’ll  use  that  for  passing  audits, 
but  everything  else  will  be  in  the  public 
cloud.”  Even  if  he  needs  to  house  certain 
types  of  data  on-site,  he  says,  “we  will  still 
offload  processing  to  the  public  cloud  to  get 
those  benefits  of  scale  and  cost.”  ■ 


Mary  Brandel  is  a  frequent  contributor  to 
CSO.  Send  feedback  to  Editor  Derek  Slater  at 
dslater@cxo.com. 


DEFEAT  CYBER  CRIMINALS. 
AND  YOUR  COMPETITION. 


CYBERSECURITY 


Sharpen  your  skills  and  give  yourself  a  major  edge  in  the  job  market 
with  a  cybersecurity  degree  from  University  of  Maryland  University 
College  (UMUC).  Our  degrees  focus  on  technical  and  policy  aspects, 
preparing  you  for  leadership  and  management  roles— and  making  you 
even  more  competitive  for  thousands  of  openings  in  the  public  and 
private  sectors.  Courses  are  available  entirely  online,  so  you  can  earn 
your  degree  while  keeping  your  current  job. 


Designated  as  a  National  Center  of  Academic  Excellence  in 
Information  Assurance  Education  by  the  NSA  and  the  DHS 

Advanced  virtual  security  lab  enables  students  to  combat 
simulated  cyber  attacks 

Scholarships,  loans  and  an  interest-free  monthly  payment 
plan  available 


UMUC 


Enroll  now. 


University  of  Maryland  University  College 

Carif'lfM  ®  1010  Unlvaralty  •*  Maryland  l*mv»r»lty  Callafa 


800-888-umuc  •  umuc.edu/cyberspace 


NEGOTIATION 


Former  lead  FBI 
hostage  negotiator 
Chris  Voss:  “A 
negotiation  is  really 
a  discovery  process 
for  both  sides.” 


Howto  Get  What  You 

Want  (Step  One:  Stop  Talk 

Negotiation  tactics  that  work  in 
hostage  situations  aren’t  all  that 
different  from  what  you  should 
be  doing  at  work  (and  even  at 
home).  An  expert  negotiator  says 
active  listening  comes  first  in 
every  successful  negotiation. 

By  Constantine  von  Hoffman 


IF  YOU’RE  IN  DEEP  TROUBLE, 

the  person  you  want  on  your  side  isn’t 
some  real-life  Jack  Bauer;  it’s  Chris  Voss. 
He’s  been  trained  in  negotiation  by  Scot¬ 
land  Yard,  Harvard  University  and  the  FBI, 
where  he  was  a  negotiator  from  1992  until 
2007,  when  he  retired  from  his  position  as 
the  bureau’s  lead  international  kidnapping 
negotiator.  He  had  a  key  role  in  creating 
and  teaching  the  FBI’s  national  negotiation 
course  and  was  responsible  for  recruiting, 
training  and  leading  its  90-person  corps 
of  emergency  negotiators.  He  has  taught 
business  negotiation  at  Harvard  and  is  cur¬ 


rently  doing  the  same  at  Georgetown  Uni¬ 
versity’s  McDonough  School  of  Business. 
He  is  head  of  the  Black  Swan  Group,  a  firm 
that  specializes  in  business  and  security 
negotiations. 

CSO:  What  is  the  key  thing  to  know  before 
starting  a  negotiation? 

Chris  Voss:  You  want  to  use  it  to  gather  infor¬ 
mation.  You  need  to  find  out  everything  you 
possibly  can  through  the  negotiation  pro¬ 
cess.  You’ve  got  to  take  all  of  your  assump¬ 
tions  and  test  them.  That’s  why  I  don’t  even 
call  the  assumptions  “assumptions”  any 


more.  I  call  them  a  hypothesis,  because  it 
requires  you  to  test  it.  Now,  there’s  noth¬ 
ing  wrong  with  making  assumptions.  The 
problem  with  assumptions  is  people  never 
test  them.  For  instance,  they  just  assume 
the  other  person  has  the  same  beliefs  they 
do.  If  you  start  from  there,  then  there’s 
always  going  to  be  things  you  believe  to 
be  true  about  the  other  person  which  are 
slightly  off.  If  that  accumulates  on  you,  then 
it’ll  be  like  building  a  foundation  that’s  out 
of  line— you  know  eventually  everything’s 
going  to  fall.  So  your  first  rule  is  find  out 
what  their  assumptions  are. 


is  www.csoonline.com  June  2010 


lu '  1 1 BF 

W  ?\  '  1 
1 

W 

UK' 

m 

wjMg  U  l 

Jafifl 

The  way  to  do  that  is  be  credible,  treat 
the  other  side  with  respect  and  be  patient. 
If  you  do  those  things,  then  that  enables 
you  to  build  a  relationship.  It  lets  the  other 
side  feel  comfortable  because  you’re  cred¬ 
ible,  you’re  trustworthy,  you’re  respect¬ 
ful.  You  will  help  them  discover  what  the 
problems  really  are  and  what  the  answers 
really  are. 

A  negotiation  is  really  a  discovery  pro¬ 
cess  for  both  sides.  That’s  one  of  the  reasons 
that  really  smart  people  have  trouble  being 
negotiators— they’re  so  smart  they  think 
they  don’t  have  anything  to  discover. 


I  have  one  minute  before  a  negotiation 
starts  and  I’m  clueless.  Give  me  something 
l  can  use. 

One  of  the  most  effective  tools  in  negotia¬ 
tion  is  the  open-ended  question.  That’s  a 
question  that  the  other  side  can  respond  to 
but  that  has  no  fixed  answer. 

The  secret  to  gaining  the  upper  hand  in 
negotiations  is  giving  the  other  side  the  illu¬ 
sion  of  control.  And  that’s  exactly  what  an 
open-ended  question  does.  It  makes  people 
feel  powerful  and  in  charge,  and  they  have 
no  idea  how  constrained  and  bound  they 
are  by  it.  You  really  frame  the  conversation 


for  them,  but  they  feel  very  powerful. 

Here’s  an  example:  One  time  there  was 
a  kidnapping  of  a  drug  dealer’s  girlfriend  in 
Pittsburgh.  And  for  whatever  reason,  this 
drug  dealer  came  to  the  FBI  for  help,  which 
kind  of  seems  contrary  to  his  best  interests, 
but  he  did.  So  the  agents  were  working  with 
him  and  coaching  him,  trying  to  get  his  girl¬ 
friend  back.  There  was  a  struggle  over  the 
issue  of  proof  of  life,  whether  or  not  the 
girlfriend  was  alive.  At  that  time,  in  kidnap¬ 
ping,  what  we  always  used  for  proof  of  life 
was  something  like,  “What  was  the  name 
of  the  girlfriend’s  teddy  bear  when  she  was 


Photo  courtesy  Chris  Voss 


June  2010  www.csoonline.com  19 


NEGOTIATION 


a  little  girl?”  You  know,  your  typical  com¬ 
puter  security  question. 

That  seems  to  the  listener  like  an  open- 
ended  question,  but  it  actually  has  a  very 
specific  answer.  One  of  the  problems  with 
that  particular  type  of  question  was  that  at 
the  time,  it  had  sort  of  become  a  signature  of 
law  enforcement  in  the  kidnapping  world. 
When  a  family  starts  asking  a  question  of 
that  type,  there’s  a  pretty  good  chance  that 
they’re  being  coached  by  the  cops,  which 
makes  kidnappers  very  nervous. 

But  in  this  kidnapping,  this  unsophis¬ 
ticated  drug  dealer  hadn’t  had  the  oppor¬ 
tunity  to  be  coached  up  to  be  sophisticated 
and  ask  the  right  proof-of-life  question,  so 
instead  he  asked  the  kidnapper,  “Hey,  dog, 
how  do  I  know  she’s  all  right?”  Which  is  a 
much  broader  open-ended  question  and 
it’s  actually  the  perfect  opening  question. 
The  kidnapper  just  hesitated  and  stopped, 
and  his  tone  of  voice  changed;  he  was  com¬ 
pletely  taken  aback.  And  he  said  “Well, 
I’ll  put  her  on  the  phone.”  And  I  thought, 
“Wow,  that  unsophisticated  drug  dealer 
just  pulled  off  a  phenomenal  victory  in 
the  negotiation.”  To  get  the  kidnapper  to 
volunteer  to  put  the  victim  on  the  phone  is 
massively  huge. 

Whether  it’s  kidnapping  or  whether  it’s 
a  business  negotiation,  an  open-ended  ques¬ 
tion  forces  the  other  side  to  take  an  honest 
look  at  you  and  answer  your  question. 

I  actually  didn’t  appreciate  the  power  of 
the  open-ended  question  until  I  ran  across 
a  business  book  called  Start  With  No,  by  Jim 
Camp.  I  already  knew  about  open-ended 
questions,  but  Camp  has  a  great  chapter 
in  that  book  that  really  lays  out  the  power 
of  open-ended  questions.  It  woke  me  back 
up  to  how  effective  they  could  be.  It  got  me 
wondering  if  it  was  possible  to  take  those 
business-negotiation  skills  and  make  use  of 
them  in  what  we  did. 

Are  there  things  a  CSO  can  do  to  prepare 
for  a  possible  kidnapping  or  other  type  of 
security  negotiation?  What  sort  of  plans 
should  be  in  place? 

You  want  to  know  which  U.S.  government 
agencies  you  need  to  deal  with  and  if  they 
have  any  experience  with  negotiating  this 
sort  of  thing.  A  lot  of  them  don’t,  and  they 
can  give  you  terrible  advice.  At  the  same 
time,  you  need  to  be  totally  transparent 
with  the  government  so  you  don’t  get  into 


Want  to  negotiate  more 
effectively  in  professional 
and  personal  settings?  Talk 
less  and  listen  more.  Expert 
negotiators  at  the  FBI  and 
elsewhere  have  found  active 
listening  to  be  key  in  any 
negotiation.  Here  are  seven 
keys  to  active  listening: 

1  Showing  Your  interest:  Prove 
you’re  listening  by  using  body 
language  or  brief  verbal  replies  that  show 
interest  and  concern.  Simple  phrases  such 
as  “yes,”  “OK”  or  “l  see"  effectively  show 
you  are  paying  attention.  This  encourages 
the  other  person  to  continue  talking  and 
relinquish  more  control  of  the  situation  to 
the  negotiator. 

Paraphrasing:  Tell  the  other 
person  what  you  heard  them  say, 
either  quoting  them  or  summarizing  what 
they  said. 


Emotion  Labeling:  This  means 
attaching  a  tentative  label  to  the 
feelings  expressed  or  implied  by  other 
person’s  words  and  actions.  This  shows 
you  are  paying  attention  to  the  emotional 
aspects  of  what  other  person  is  conveying. 
When  used  effectively,  emotion  labeling  is 
one  of  the  most  powerful  skills  available 
to  negotiators  because  it  helps  identify 
the  issues  and  feelings  driving  the  other 
person’s  behavior. 

4  Mirroring:  Repeating  the  last 
words  or  main  idea  of  other  per¬ 
son’s  message.  This  indicates  interest  and 
understanding.  For  example,  a  subject 
may  say,  “I’m  sick  and  tired  of  being 
pushed  around,”  to  which  a  negotiator 
can  respond, “Feel  pushed,  huh?”  Mirror¬ 
ing  can  be  especially  helpful  in  the  early 
stages  of  a  crisis,  as  negotiators  attempt 
to  establish  a  nonconfrontational  pres¬ 
ence,  gain  initial  intelligence  and  build 
rapport. 


20  www.csoonline.com  June  2010 


Illustration  by  iStockphoto.com 


dating  Skills 


Open-Ended  Questions:  Use 

open-ended  questions  instead  of 
“why”  questions,  which  could  imply  inter¬ 
rogation.  If  you  do  most  of  the  talking,  you 
decrease  the  opportunities  to  learn  about 
other  person.  Effective  open-ended  ques¬ 
tions  include,  “Can  you  tell  me  more  about 
that?”  “I  didn’t  understand  what  you  just 
said;  could  you  help  me  better  understand 
by  explaining  that  further?”  and,  “Could 
you  tell  me  more  about  what  happened  to 
you  today?” 

6  “I”  Messages:  Negotiators  have 
to  avoid  being  provoking  when  they 
express  how  they  feel  about  certain  things 
the  other  person  says  or  does.  Using  “I" 
statements  lets  you  ostensibly  shed  the 
negotiator  role  and  react  to  the  subject 
as  just  another  person.  For  instance, 
you  might  say,  “We’ve  been  talking  for 
several  hours,  and  I  feel  frustrated  that 
we  haven’t  been  able  to  come  to  an  agree¬ 
ment.”  This  is  also  an  effective  tactic  if  the 
other  person  verbally  attacks,  because  it 
lets  you  respond  with,  “I  feel  frustrated 


when  you  scream  at  me,  because  I’m 
trying  to  help  you.”  Remember:  Never  get 
pulled  into  an  argument  or  trade  personal 
attacks  with  a  subject. 

7  Effective  Pauses:  Any  good  inter¬ 
viewer  knows  the  power  of  the  long, 
awkward  silence.  People  tend  to  speak  to 
fill  spaces  in  a  conversation.  Therefore, 
you  should,  on  occasion,  consciously  cre¬ 
ate  a  space  or  void  that  will  encourage  the 
other  person  to  speak  and,  in  the  process, 
provide  additional  information. 

Adapted  from  the  article  “Crisis  Inter¬ 
vention:  Using  Active  Listening  Skills  in 
Negotiations”  by  Gary  W.  Noesnerand 
Mike  Webster,  published  in  the  1997 
issue  of  the  Law  Enforcement  Bulletin. 

Full  text  available  at:  www.au.af.mil/au/ 
awc/awcgate/fbi/crisis_interven2.htm. 

For  more  negotiation  information, 
check  out  the  Air  Force’s  Negotiation  Cen¬ 
ter  of  Excellence  website  at  negotiation. 
au.af.mil. 


trouble  with  the  Foreign  Corrupt  Practices 
Act  when  dealing  with  things  like  ransom. 

So  what  made  you  go  from  hostage  nego¬ 
tiator  to  business  negotiator? 

It  started  one  time  after  we  had  a  case  that 
hadn’t  gone  particularly  well.  I  was  in  the 
process  of  searching  for  answers  to  try  to 
figure  out  if  we  could  do  better.  One  of  the 
first  places  I  went  to  was  Harvard,  because 
I  wanted  to  start  looking  outside  of  the  nor¬ 
mal  hostage-negotiation  community  for 
ideas. 

I  went  to  a  Harvard  Executive  Educa¬ 
tion  class  that  focused  on  dealing  with 
difficult  negotiators  and  negotiation  for 
senior  executives.  The  instructor,  Bob  Bor- 
done  [director  of  Harvard’s  negotiation 
and  mediation  program],  stood  up,  and  the 
first  words  out  of  his  mouth  were,  “Active 
listening  is  a  stealth  weapon  of  effective 
negotiation.” 

They  turned  out  to  be  very  big  believers 
in  active  listening.  That  showed  me  they 
knew  what  they  were  talking  about.  That’s 
the  cornerstone  of  hostage  negotiation.  And 
it  was  the  main  basis  of  the  class  they  were 
teaching.  I  had  written  the  active  listening 
deck  for  hostage  negotiators  at  the  bureau, 
and  when  I  heard  Bob  say  that,  I  knew  I 
had  to  put  that  quote  in  the  very  first  slide. 

It  really  intrigued  me,  because  I’d  dis¬ 
covered  somebody  outside  of  the  hostage¬ 
negotiating  world  whose  thinking  was 
along  the  same  lines  as  mine.  It  made  me 
want  to  learn  more. 

What  is  active  listening? 

Active  listening  means  listening  to  the 
person  you’re  negotiating  with  to  find  out 
what’s  driving  them,  what’s  important  to 
them,  what’s  motivating  them.  This  way, 
you’re  really  fleshing  out  where  they’re 
coming  from  in  a  three-dimensional  way. 
A  lot  of  times,  the  person  you’re  talking 
with  isn’t  completely  aware  of  it  them¬ 
selves.  There  are  things  they’re  expressing 
indirectly. 

Active  listening  is  a  bunch  of  relatively 
simple  skills.  One  is  asking  questions  to 
clarify  what  the  other  person  said.  These 
are  questions  like,  “How  many...?”  or, 
“What  did  you  feel?”  That  gives  us  more 
information  and  it  lets  the  other  person 
know  we  are  going  to  work  with  them  and 
want  to  understand  them. 


June  2010  www.csoonline.com  21 


NEGOTIATION 


What  else? 

There’s  paraphrasing.  That’s  saying  back  to 
the  other  person,  in  your  own  words,  what 
you  think  he  just  said.  It  means  repeating 
back  in  a  succinct  manner.  That’s  really  use¬ 
ful  in  trying  to  understand  what  the  other 
person  means— instead  of  mind  reading. 

Paraphrasing  really  helps  you  build 
that  trust.  The  other  person  gets  to  hear 
how  their  communication  was  received 
and  whether  or  not  it  has  been  heard  cor¬ 
rectly.  You  ask  questions  that  start  with, 
“Let  me  see  if  I  understand,”  or,  “Am  I  right 
in  thinking.” 

That  lets  them  tell  you  stuff,  because 
they’ll  want  to  give  you  more  details  about 
something  you  left  out  or  they  don’t  think 
you  got  right.  You  can  get  more  information 
and  they  get  the  feeling  that  you  really  want 
to  understand  where  they’re  coming  from. 

There’s  also  something  called  emotion 
labeling.  That’s  reflecting  on  the  emotion  of 
or  what’s  really  implied  by  what  someone 
is  saying. 


table  and  truly  expose  themselves,  they’ve 
opened  themselves  up  to  really  being  taken 
to  the  cleaners  in  a  negotiation.  So  you’ve 
got  to  earn  that  position  by  building  a  good 
relationship  in  the  negotiation,  and  by 
being  credible  and  being  trustworthy. 

But  how  did  all  this  get  you  into  business 
negotiating? 

After  talking  with  Bordone,  I  knew  I 
wanted  to  study  with  them  some  more.  So 
I  talked  them  into  letting  me  come  to  their 
winter  negotiation  workshop.  It’s  the  same 
negotiation  course  that  they  teach  during 
the  semesters,  but  it’s  an  all-day,  every-day 
course  over  like  a  week.  I  initially  went  up 
there  thinking  hostage  negotiation  was  dif¬ 
ferent  than  business  negotiation. 

I  thought  maybe  it  would  be  a  more 
refined  and  gentlemanly  endeavor.  I  looked 
at  hostage  negotiation  as  really  sort  of  like 
bare-knuckle  brawling— and  in  many  cases, 
if  it’s  a  kidnapping,  over  a  ransom. 

In  an  international  kidnapping,  you 


“One  of  the  most  effective 
tools  in  negotiation 
is  the  open-ended 

question.”  -Chris  Voss 


So  if  someone  sounds  angry,  you  have  to 
look  at  the  real  question,  which  is,  Why  are 
they  angry?  What’s  driving  them  or  what’s 
driving  their  reaction?  Anger  is  the  result  of 
something  else.  It’s  the  result  of  frustration 
and  it’s  the  result  of  disappointment,  it’s 
the  result  of  a  failure  of  some  sort.  So  when 
you  hear  that  somebody’s  angry,  you  have 
to  begin  to  think,  “All  right,  there’s  a  failure 
here  someplace,  there’s  a  frustration  here, 
there’s  a  fear  of  loss.”  So  you  know  to  ask 
questions  that  show  you  understand  their 
anger  and  want  to  know  more  about  it. 

Your  job  as  a  negotiator  is  to  help  them 
feel  safe  enough  to  tell  you  what  that  prob¬ 
lem  truly  is,  to  really  expose  themselves. 
And  that’s  a  dangerous  thing  to  do  in  busi¬ 
ness  negotiations  because,  many  times,  if 
business  negotiators  lay  their  cards  on  the 


really  use  the  negotiation  process  to  just 
beat  the  kidnappers  into  submission.  Part 
of  the  reason  for  that  is  that  if  a  ransom  ulti¬ 
mately  gets  paid,  it  means  you  get  the  vic¬ 
tim  back.  You  also  use  the  process  to  try  to 
create  opportunities  for  the  victim  to  either 
escape  or  be  rescued. 

The  other  thing  is,  you  use  the  process 
in  an  international  kidnapping  to  gather  as 
much  evidence  as  possible— by  taping  the 
negotiations  for  example.  In  many  cases, 
the  evidence  gathered  in  negotiations  is  the 
only  evidence  you  get. 

Sometimes  that  pays  off  big.  We  had  a 
kidnapping  in  Trinidad  and  the  authorities 
picked  up  the  guy  we  suspected  did  it.  They 
were  pretty  sure  that  it  was  him  on  the  tape, 
but  they  weren’t  completely  sure.  And  the 
tape  was  the  only  evidence.  So  they  played 


the  tape  for  the  kidnapper,  and  they  just  sat 
there  and  stared  at  him.  And  he  said,  “OK, 
that’s  me.”  Which  gave  them  the  confes¬ 
sion  they  needed  because  it  was  their  only 
chance  of  getting  him.  He  was  an  idiot. 

So  I  thought  that  business  negotiation 
would  be  really  different  than  that. 

I  went  through  the  course  with  my  bare- 
knuckles  approach  and,  in  all  the  bargaining 
simulations,  I  pretty  much  slaughtered  the 
people  on  the  other  side.  Then,  on  the  very 
last  day,  we  were  given  our  most  complicated 
exercise.  It  was  a  multi-party,  multi-issue 
exercise.  During  the  review  of  that,  I  realized 
that  it  was  all  the  same  thing.  It  was  just  that 
the  stakes  were  different.  I  went  through 
that  course  in  2006,  and  that  was  about  the 
time  that  I  was  starting  to  think  about  retire¬ 
ment  anyway.  It  made  me  think,  “This  is  the 
direction  that  I  want  to  go  in.” 

It’s  interesting  that  you  say  that  you  want 
to  beat  them  into  submission,  but  you  also 
need  to  establish  trust. 

That’s  a  good  observation. 

Having  done  negotiations  where  some¬ 
one’s  life  is  at  stake,  does  it  ever  irritate 
you  when  people  are  treating  a  business 
deal  as  if  it’s  a  life-or-death  thing? 

Not  really.  I  understand  it’s  the  most  impor¬ 
tant  thing  going  on  with  them  right  now.  It 
makes  sense  that  it  feels  intense  to  them. 

You’ve  got  a  unique  set  of  skills  here.  I’m 
guessing  you  always  get  what  you  want 
when  you  buy  a  car. 

Pretty  much.  Except  when  I  went  to  get  my 
son  a  car.  Then  I  had  this  emotional  stake 
of  wanting  to  do  good  by  my  son  and  maybe 
wanting  to  show  him  how  good  I  was.  I  had 
an  agenda  that  got  in  the  way  of  all  my  active 
listening.  The  sales  guy  was  in  charge.  He’d 
ask  a  question  and  just  sit  there,  silent,  wait¬ 
ing  for  me  to  answer.  When  we  drove  away  I 
was  like,  “Son  of  a  [gun]!  He  got  me.” 

For  many  of  us,  the  most  regular  nego¬ 
tiation  we  face  is  who  has  to  do  the  dishes 
after  dinner.  So  in  your  house,  who  usually 
winds  up  doing  the  dishes? 

Laughs  Me.  ■ 


Constantine  von  Hoffman  is  a  freelance 
writer.  Send  feedback  to  editor  Derek  Slater  at 
dslater@cxo.com. 


22  www.csoonline.com  June  2010 


SECURITY 


TM 


NEWSLETTER 


Security  Smart  is  a  quarterly  security  awareness  newsletter  ready 
for  distribution  to  your  employees — saving  you  precious  time  on 
employee  education!  The  compelling  content  combines  personal 
and  organization  safety  tips  so  is  applicable  to  many  facets 
of  employees'  lives.  And  the  easy  to  read  design  has  multiple 
entry  points  so  you  are  assured  that  your  intended  audience  of 
employees — your  organization's  most  valuable  assets — will  read 
and  retain  the  information. 


Jjcu 


KlTy 


SAFb, 


/ 


GtMSo 

r-j  u*SlajR 

weao 

OUan.y°^tra^,  C 


vAcy 


rela* — , , 


4rlV< 


'°hk 


and 


Subscribe  today! 


0/£> 


To  view  a  sample  issue  of  the  newsletter,  learn  about  the 
delivery  options  and  to  subscribe  visit: 

www.SecuritySmartNewsletter.com 


Jhe 


*0  u 


**0| 


°ubl*-  but^n" 

/a§ 5§3§‘ 

si"*** 


’4r*0, 


^o, 


>IV? 


'Us. 


,0  O  •***>«,  sb  ^ 

JHH5  ‘ 


/ee/ 


%)fc 


Uiaf 


*  °r  oil  ‘>’'ornn  '■  Oi-ajt  rar>kMa9US , 

"***  B"ntw' 


&?*>■ 


“» ea-,  ^"°r  »hn  aeed' 

-tS'xC  ?  A?*** 

f***  °C f/j,.,  1  '/'0u7rf4y  5  0f7¥Voo 

'""or,-  .  r,r*Vr.l...  "'u-n\  • 


■>?* 


AfO 


5a**. 


m 


C**’iK'Sr--a*IWr 


•'Oo, 


Soi«rt 


For  more  information  please  visit 

www.SecuritySmartNewsletter.com 

Security  Smart  is  published  by  CS0,  a  business  unit  of  CX0  Media.  ©  2007  CXO  Media  Inc. 


BUSINESS  RISK  LEADERSHIP 


COVER  STORY  |  CSO  ROLE 


1.  How  well  does  each  statement 
describe  your  organization? 

(Percent  who  Agree  or  Strongly 
Agree  with  each  statement) 


2004 

2010 

Senior  management  has 
established  a  security  policy 
and  auditing  process. 

23% 

81% 

Senior  management  views 
the  security  leader’s  role  as 
strategic  and  permanent. 

17% 

72% 

Security  is  viewed  as  essential 
to  business  as  opposed 
to  an  overhead  cost. 

25% 

66% 

Security  considerations  are  a 
routine  part  of  your  company’s 
business  processes. 

28% 

63% 

All  employees  receive  training 
in  all  security  policy  topics. 

38% 

78% 

All  employees  know  the 
sanctions  and  consequences 
of  a  security  policy  breach. 

42% 

63% 

All  managers  in  the 
organization  understand  their 
roles  and  responsibilities 
in  regards  to  security. 

45% 

44% 

All  employees  consider 
security  to  be  part  of  their 
everyday  responsibilities. 

38% 

40% 

TAKE  A  MOMENT  to  reflect  on  the  enor¬ 
mous  progress  reflected  in  this  chart. 

Six  years  ago,  respondents  reported  a 
generally  low  regard  for  security  risk  man¬ 
agement  within  their  companies.  Policies 
were  not  defined.  Security  leaders  were 
sidelined.  Training  was  minimal. 

Today’s  scenario  is  different  on  almost 
every  score;  2010  respondents  indicate  that 
security  programs  are  well  established 
in  most  companies,  including  policies,  per¬ 
sonnel  and  training. 

Other  than  Internet  marketing,  has  any 
other  corporate  discipline  enjoyed  such  a 
rapid  and  widespread  rise  in  credibility 
during  the  same  decade?  At  the  risk  of 
falling  into  a  cheerleader  role,  this  is  worth 
noting  and  celebrating.  Current  events 
have  clearly  been  a  huge  driving  factor, 
but  today’s  security  leaders  still  deserve  a 
pat  on  the  back  for  helping  craft  the  right 
organizational  response  to  today’s  threats. 

These  2010  numbers  aren’t  a  fluke. 
Progress  in  each  area  has  been  steadily 
upward  over  the  years. 

Having  said  that,  those  upward  trends 
highlight  the  lack  of  progress  in  the  bot¬ 
tom  two  issues.  (See  next  chart  for  more 
detail.) 


24  www.csoonline.com  June  2010 


Illustration  by  Phil  Foster/theiSpot.com 


CSO  Forum  on  Linked  ffl 


Share  best  practices  and  insight 
and  discuss  your  challenges  with 
your  security  executive  peers. 

The  CSO  Forum  is  where  members  of  the  security 
community  can  connect  and  collaborate  to  move  their 
security  and  technology  initiatives  and  careers  forward. 

If  you  are  a  senior  security  or  IT  professional,  we’d  love 
to  have  you  join— apply  for  membership  today. 

Visit  Iinkedin.com  click  Groups  and  search  for  “CSO  Forum" 

Facilitated  by  CSOOnline.com  and  CSO  Magazine 

CSO 

BUSINESS  RISK  LEADERSHIP 


COVER  STORY  I  CSO  ROLE 


I  think 
people  are 
developing 
new,  holistic 
ways  to 
communicate 
the  security 
value 

statement.” 

-John  Petrie, 
VPandCISOat 
Harland  Clarke 
Holdings 

2010 

STATE 

of  the 

CSO 


2.  How  well  does  each  statement 
describe  your  organization?  (Percent 
who  Agree  or  Strongly  Agree  with  each 
statement.  A  breakout  of  2010  data 
from  chart  one,  by  company  size) 

At  Big  At  Small 

Companies  Companies 

All  managers  in  39%  53% 

the  organization 

understand  their  roles 

and  responsibilities  in 

regards  to  security. 


All  employees  consider  33%  44% 

security  to  be  part  of  their 
everyday  responsibilities. 

THIS  CHART  DIGS  into  a  bit  more  detail 
on  the  two  lagging  issues  noted  in  the 
first  chart.  In  most  awareness  issues,  big 
companies  tend  to  score  better  than  small 
companies.  In  these  two,  however— where 
overall  progress  is  lacking— smaller  com¬ 
panies  actually  report  higher  scores  than 
their  larger  brethren. 

We  first  noted  this  gap  last  year,  and 
it  persists  this  year.  In  last  year’s  survey 
write-up,  we  wondered  whether  this 
indicates  that  larger  companies  are  overly 
reliant  on  process.  A  bigger  organization 
naturally  tends  more  toward  specializa¬ 
tion,  which  isn’t  bad,  but  it  can  lead  to 
stovepiping,  which  is.  Employees  and 
managers  at  smaller  companies  may  be 
more  likely  to  think  of  their  job  descrip¬ 
tions  as  ending  with,  “and  other  duties  as 
necessary.” 

That  may  be  true.  But  presented  with 
this  data,  one  CSO  offered  a  simple  and 
clear  explanation:  “I  would  suggest  this  is 
all  down  to  security  management  failing  to 
communicate  adequately  with  their  audi¬ 
ence,”  says  Brian  Connor,  CSO  of  Genpact, 
based  in  Gurgaon,  India. 

So  what  to  do  about  it?  Jason  Richards, 
CISO  for  the  Virginia  Community  College 
System,  prescribes  better-tailored  aware¬ 
ness  programs.  This  means  exercises  and 
examples  using  the  specific  data  or  assets 
the  trainees  handle  every  day.  That’s  more 
work  than  creating  a  one-size-fits-all 
newsletter  and  poster  set. 

On  the  other  hand,  the  data  suggests 
that  the  blanket  approach  simply  isn’t  very 
effective. 


3.  Which  of  the  following  methods 
and  calculations  do  you  apply  in 
the  security  budgeting  process? 


2008 

2010 

Return  on  Investment 

46% 

34% 

Total  Cost  of  Ownership 

39% 

32% 

Annual  Loss  Expectancy 

14% 

13% 

Net  Present  Value 

N/A 

10% 

Economic  Value  Added 

16% 

9% 

No  formal  financial  methodology 

42% 

51% 

(Respondents  could  select  multiple  answers.) 

IT’S  EASY  TO  look  at  this  chart,  indicat¬ 
ing  a  slow  retrenchment  in  the  use  of  spe¬ 
cific  common  financial  methodologies,  and 
say  this  is  another  area  where  progress  is 
not  being  made. 

These  methodologies  are  the  standard 
language  of  business.  However,  they  are 
notoriously  difficult  to  apply  to  security 
with  any  confidence.  For  example,  annual 
loss  expectancies  (a  key  data  point  in  many 
calculations)  derived  from  one  industry 
may  look  fishy  to  companies  in  another 
industry. 

“I  think  they  are  difficult,  though  not 
impossible,  to  use  in  the  security  area. 
People  may  start  using  them,  but  then  find 
them  cumbersome”  and  give  up  on  them, 
says  Richards. 

So  we’ll  stop  short  of  calling  a  drop 
in  economic  value  added  (EVA)  usage 
a  step  backward  for  security.  However, 
the  obstinate  persistence  of  “no  formal 
financial  methodology”  remains  troubling. 
If  those  specified  in  the  survey  don’t  work, 
security  as  a  field  needs  to  develop  credible 
alternatives  if  it  wants  to  achieve  long¬ 
term  success.  John  Petrie,  CISO  at  Harland 
Clarke  Holdings,  notes  that  while  none 
of  the  methods  listed  here  are  perfect  for 
capturing  the  value  of  security,  they  may 
be  a  start  in  piecing  together  the  puzzle. 

Calculating  the  value  of  security 
“encompasses  much  more  than  this  type  of 
data,”  Petrie  wrote  in  an  e-mail  response. 
“It  also  includes  revenue  numbers  (or  loss 
thereof),  cost  for  response  to  incidents 
(per-record  cost),  and  risks— reputational 
or  otherwise— which  are  not  easily  calcu¬ 
lated.  I  think  people  are  developing  new, 
holistic  ways  to  communicate  the  security 
value,”  Petrie  says,  “and  using  new  mea- 


26  www.csoonline.com  June  2010 


surements,  in  addition  to  traditional  ones 
such  as  total  cost  of  ownership  (TCO), 

ROI,  and  EVA,  to  support  the  statement. 
As  an  example,  deploying  a  data  leakage 
protection  solution  is  difficult  to  sell  to 
leadership  using  just  TCO  or  ROI,”  he 
says.  But  when  it’s  combined  with  the  abil¬ 
ity  to  block  employees  from  inadvertently 
sending  out  confidential  data  or  intellec¬ 
tual  property,  he  says,  it  “becomes  a  more 
powerful  value  statement.  It  becomes  less 
of  a  cost  discussion  and  more  of  an  ‘accept¬ 
able  risk’  discussion.” 

4.  Compared  to  the  past  12 
months,  how  will  your  overall 
security  budget  change? 


Increase 

34% 

Stay  the  same 

52% 

Decrease 

14% 

Not  sure 

9% 

SETTING  ASIDE  THE  long-term  picture 
for  a  moment,  what  does  the  near  future 
hold?  For  most  security  departments, 
steady  resources  or  a  modest  uptick.  That’s 
not  surprising,  as  it  mirrors  the  general 
direction  of  the  world’s  economy. 

5.  In  the  past  12  months,  has 
your  organization’s  leadership 
placed  more  value  or  less  value 
on  risk  management? 

More  value  54% 

No  change  40% 

Less  value  6% 


6.  Does  your  organization  use  a 
formal  enterprise  risk  management 
process  or  methodology  that 
incorporates  multiple  types  of  risk? 

2009  2010 

YES  46%  57% 

NO  54%  43% 

THE  RISE  OF  formal  enterprise  risk  man¬ 
agement  (ERM)  has  exceeded  all  but  the 
most  optimistic  predictions.  ERM  may  in 
fact  be  the  replacement  for  the  languishing 
financial  methodologies  noted  above. 

Jeff  Spivey,  President  of  Security  Risk 
Management,  reported  at  the  CSO  Per¬ 
spectives  conference  in  April  that  compa¬ 
nies  with  a  demonstrable  ERM  effort  can 
receive  better  credit  ratings.  Better  credit 
ratings  allow  companies  to  borrow  money 
at  lower  interest  rates. 

CSOs  should  not  fail  to  seize  on  that 
fact,  as  it  hits  the  corporate  bottom  line 
quite  directly.  At  this  time,  developing  a 
full-fledged  ERM  program  and  work¬ 
ing  with  your  colleagues  to  mature  that 
program  may  be  a  higher  priority  than 
working  out  the  details  of  EVA  or  cost- 
based  accounting. 

7.  In  the  past  12  months,  how 
has  the  amount  of  time  spent  on 
regulatory  compliance  changed? 

Increased  56% 

No  change  42% 

Decreased  2% 


RESPONDENTS  ALSO  SAY  their 
organizations’  leadership  has  placed  more 
value  on  risk  management  in  the  past  12 
months— or  at  least  no  less  value.  This  con¬ 
tinues  the  general  trend  of  the  past  several 
years,  although  the  percent  responding 
“more  value”  was  at  a  peak  a  few  years 
back  (69  percent  in  the  2006  survey). 


THE  AMOUNT  OF  time  spent  on  regula¬ 
tory  compliance  continues  to  rise.  As  these 
demands  grow,  so  does  the  necessity  of 
establishing  a  clear,  efficient  program  for 
achieving  and  documenting  compliance.  ■ 


Derek  Slater  is  editor  in  chief  of  CSO.  Send 
feedback  to  dslater@cxo.com. 


spondents 


The  State  of  the  CSO  survey  was 
administered  online  to  a  qualified 
sample  of  CSO' s  audience. 
Findings  are  based  on  responses 
of  227  security  professionals. 


Respondents  represented  a 
broad  range  of  industries  including 
government  and  nonprofits 
(26%),  financial  services  (22%), 
high  tech/telecom/utilities 


(15%),  manufacturing  (12%)  and 
healthcare  (9%),  among  others. 

Respondents  report  involvement 
in  numerous  security-related 
activities  including  information 


security,  privacy,  fraud 
protection,  investigations,  audit, 
personnel  security  and  more. 

'  ■’  '■<  •  'A'; '  >,4 


[  INDUSTRY  VIEW] 

By  Michael  Santarcangelo 


An  Addiction  to  Success 

You  say  you’re  a  lifelong  learner?  Prove  it! 


www.csoonlme.com 


Photo  by  iStockphoto.com 


?8 


June  2010 


The  key  to  success  is  to  move  beyond 
cliche,  marketingspeak  and  traditional 
resume  fodder.  Even  for  the  practiced  job 
seeker,  this  can  be  a  challenge.  Over  the 
years  of  guiding  people  through  this  process, 
a  common  assertion  I  hear  is  “I  have  a  pas¬ 
sion  for  learning  and  self-development.” 

Taken  at  face  value,  this  is  the  sort  of 
vague  claim  anyone  can  (and  probably 
does)  make  when  attempting  to  impress  an 


interviewer.  While  the  wording  of  the  claim 
is  forgettable,  the  trend  itself  is  important: 
Most  successful  people  have  a  lifelong 
addiction  to  learning. 

As  a  lifelong  learner  myself,  it’s  a  qual¬ 
ity  I  cherish  in  others  as  well.  Learning  can 
be  a  personal  pursuit— in  other  words,  not 
engaged  in  to  prove  its  value  to  anyone  else. 

However,  if  an  addiction  to  learning  is 
a  basis  for  differentiating  someone  from 


The  Career  Compass  program’s 
initial  exercise  focuses  on 
identifying  and  distilling  five 
key  elements  that  differentiate 
each  participant  from  the  oth¬ 
ers.  The  purpose  is  to  move  beyond  stan¬ 
dard  statements  and  unearth  what  really 
sets  each  of  us  apart.  It  is  preparation  to 
successfully  respond  to  a  general  question 
of  “Why  should  I  hire  you?” 


other  candidates,  it’s  important  to  describe, 
measure  and  demonstrate  the  claim. 

Cultivating  an 
Addiction  to  Learning 

The  desire  and  ability  to  learn  is  important 
to  a  successful  career.  Actions  speak  louder 
than  words,  and  more  important  than  the 
desire  is  the  discipline  to  engage  in  learning 
on  a  regular  basis. 

On  my  first  job  out  of  college,  at  the  age 
of  22, 1  was  assigned  to  a  technical  team  and 
ended  up  sitting  next  to  a  guy  in  his  50s  who 
had  been  a  helicopter  pilot  in  Vietnam.  Bill 
was  (and  probably  still  is)  an  amazing  guy; 
he  was  cool  in  nearly  any  situation,  spoke  ill 
of  no  one  and  always  either  had  an  answer 
or  was  willing  to  find  one. 

We’d  often  eat  lunch  together  sitting  at 
our  desks,  and  I  still  recall  a  key  piece  of 
advice  he  shared  with  me  one  day:  “Michael, 
the  key  to  success  in  life  is  to  keep  learning. 
You  never  know  it  all,  and  the  technology  is 
always  going  to  change.  If  you  keep  learn¬ 
ing,  you  can  do  anything.  You’ll  always  have 
a  job.” 

While  I  was  already  a  passionate  seeker 
of  knowledge  and  experience  before  I  met 
Bill,  his  words  resonated  with  me  then,  and 
I  still  carry  them  with  me  today. 

While  everyone  learns  in  his  own 
unique  way,  there  are  three  dominant  styles 
of  learning: 

■  Visual 

■  Auditory 

■  Kinesthetic 

Most  people  have  a  dominant  style,  but 
we  all  learn  across  all  three.  Understanding 
how  people  learn  is  important  for  learn¬ 
ers  to  maximize  their  investment,  and 
important  for  people  assessing  the  claim  to 
understand  its  depth. 

My  dominant  learning  style  is  kines¬ 
thetic,  which  is  relatively  rare.  I  tend  to 
learn  better  when  I  work  through  the  mate¬ 
rial,  but  if  the  material  is  presented  to  me  in 
other  forms,  I  create  the  three-dimensional 
experience  in  my  mind.  I  need  to  experi¬ 
ence  the  information,  if  only  in  my  head. 

Over  my  years  of  learning  about  learning, 
I  continue  to  find  new  pathways,  insights 
and  ways  to  learn.  Lately  I’ve  found  that  the 
act  of  writing  has  improved  my  speaking;  in 
turn,  I’m  better  able  to  share  my  knowledge 
and  experience.  I  always  find  that  when  I 
share  what  I  have  learned,  I  discover  new 


elements  and  come  away  from  the  experi¬ 
ence  enriched. 

Since  learning  tends  to  be  highly  per¬ 
sonal— especially  for  adults— cultivating 
a  habit  that  works  amid  the  pressures  of 
daily  life  is  essential.  There  are  no  right  or 
wrong  ways  to  learn,  share  and  grow. 

The  time  spent  considering  the  commit¬ 
ment  to  learning  improves  the  results  and 
provides  the  ability  to  more  clearly  explain 
the  claim,  if  need  be. 

Demonstrating  the  Claim 

After  you’ve  asserted  the  claim  of  “lifelong 
learner”  as  a  differentiating  quality,  most 


interviewers  will  probe  deeper.  To  prepare 
to  explain  your  personal  commitment  to 
learning,  consider  the  perspective  of  a  hir¬ 
ing  manager  or  a  potential  client. 

There  are  three  key  elements  to  demon¬ 
strating  this  claim: 

■  Explaining  your  passion  and  process 

for  learning 

■  Quantifying  your  approach 

■  Sharing  your  results 

When  it  comes  to  explaining  your  pas¬ 
sion,  in  my  experience  the  best  approach 
is  a  brief  statement  about  your  quest  for 
learning,  followed  by  an  example.  If  asked, 
I  would  explain  that  my  passion  for  learn¬ 
ing  has  yet  to  meet  limits;  I  am  intrigued  by 
all  that  is  around  me.  I  will  sit  and  listen  to 
literally  anyone  who  wants  to  share  their 
knowledge  and  experience  with  me. 

For  example,  before  deciding  to  travel 
the  country  with  my  family  via  RV,  I  used 
to  fly— a  lot.  A  perk,  of  course,  was  the 
opportunity  to  upgrade  to  business  class, 
where  I’ve  found  that  people  are  generally 
eager  to  talk.  After  the  quick  introductions, 
I  would  routinely  ask  people  to  share  their 
craft  with  me. 

Soon  after  we  purchased  our  RV— a  die¬ 
sel  pusher  with  air  brakes— I  managed  to  sit 
on  a  plane  next  to  a  guy  who  sold  a  highly 


specialized  component  for  air  brakes.  Dur¬ 
ing  that  short  flight,  I  became  a  pseudo¬ 
expert  not  only  on  air  brake  operation,  but 
also  on  their  maintenance  and  how  the  dif¬ 
ferent  components  played  a  role  in  stopping 
my  rolling  house  on  wheels. 

As  a  result,  I  have  learned  how  to  main¬ 
tain  our  brakes  and  extend  their  operation 
while  ensuring  the  safety  of  my  family.  As 
my  kids  would  say,  “How  cool  is  that?” 

In  addition  to  that  story,  I  can  share 
many  others  about  reading,  writing, 
courses  and  conversations  that  have  taught 
me  something.  Given  that  hiring  managers 
are  sometimes  interested  in  quantifying 


general  claims,  it  might  be  useful  to  be  able 
to  answer  questions  like  these: 

■  How  many  and  what  kind  of  training 
courses  do  you  take? 

■  What  books  have  you  read  recently? 

■  Do  you  attend  local  professional 
groups  and  take  advantage  of  free 
training? 

■  Do  you  participate  in  online  webinars? 

■  Do  you  share  what  you  have  learned 
with  others,  and  how? 

The  final  element  to  consider  is  the  “So 
what?”  question:  As  a  learner,  what  is  the 
impact  on  you  and  the  results  others  expe¬ 
rience?  As  a  result  of  your  addiction  to 
learning,  will  costs  be  lower,  productivity 
be  higher  or  some  other  tangible  benefit  be 
realized? 

So,  how  do  you  invest  in  your  career 
success  by  learning?  What  habits  have  you 
developed?  How  do  you  share  your  suc¬ 
cess  and  demonstrate  the  results?  Leave  a 
comment  or  send  me  an  e-mail  about  your 
efforts.  ■ 


Security  catalyst  Michael  Santarcangelo  is 
the  author  of  Into  the  Breach.  He  is  also 
CSOonline.com' s  career  columnist  and  the 
creator  of  the  “Awareness  that  Works” 
program. 


Since  learning  tends  to  be  highly  personal- 
especially  for  adults-cultivating  a  Habit 
that  works  amid  the  pressures  of  life  is 
essential.  There  are  no  right  or  wrong  ways  to 
learn,  share  and  grow. 


June  2010  www.csoonline.com  29 


[  cso  view] 

By  Neil  Buckley 


The  Healthcare  Risk  Hunter’s 
Guide  to  the  Galaxy 


Properly  managing  the  risks  of 
the  critical  and  complex  health¬ 
care  industry  requires  security 
professionals  to  go  into  unfa¬ 
miliar  territory.  It’s  governed 
by  a  subculture  that  considers  IT  security 
practices  neither  necessary  nor  desirable 
in  delivering  patient  care.  An  information 
security  professional’s  purpose  is  enabling 
business  with  minimal  risk  and  expo¬ 
sure.  While  all  other  major  industry  verti¬ 
cals  have  award-winning  risk-mitigation 
recipes,  health  care  is  the  final  frontier  for 
building  security- delivery  models  around 
business  requirements. 

One  reason  for  the  obscurity  of  patient- 
care  technologies  is  that  they’re  often 
managed  by  a  specialty  IT  division  called 
biomedical  engineering.  Most  hospitals 
create  this  department  because  they  need 
staff  that  can  resolve  technical  issues  with 
point-of-care  equipment  in  a  direct  patient- 
care  setting.  The  team’s  expertise  is  not  risk 
analysis  or  risk  management.  Likewise, 
most  information-security  professionals 
don’t  have  the  experience  to  properly  ana¬ 
lyze  the  risks  of  this  class  of  infrastructure 
or  fully  understand  the  business  goals  that 
make  it  necessary. 

How  should  information-security  pro¬ 
fessionals  navigate  this  terrain?  First  and 
foremost,  they  need  to  identify  the  services 
that  have  shadow  repositories  of  personal 
health  information  and  formalize  the  pro¬ 
cess  of  assessing  their  impact  on  the  secu¬ 
rity  program.  Regardless  of  the  size  of  the 
organization,  there  is  no  easy  way  to  do 
this.  Here’s  a  step-by-step  guide,  beginning 
in  purchasing  and  contracts: 

1.  Build  a  list  of  vendors  and  busi¬ 
ness  owners  that  may  process  patient 
information. 


2.  Interview  the  vendors,  biomedical 
engineers  and  clinicians  to  get  a  feel  for 
transactions,  exposures,  data  storage  and 
work  flow. 

3.  Assess  the  lab  system.  All  hospi¬ 
tals  use  at  least  one  lab,  which  processes 
specimens  and  delivers  test  results  to  clini¬ 
cians.  It  is  inevitable  that  specimens  carry 
some  patient  health  information,  so  build  a 


transaction  map  showing  how  a  specimen 
is  linked  to  the  patient,  whether  it  is  labeled 
and  what  technologies  support  results 
delivery  and  information  management. 
Spend  time  learning  the  work  and  data 
flows  of  these  technologies.  Proceed  with 
caution,  as  not  all  lab  systems  are  created 
equal.  Some  vendors  take  the  security  of  the 
data  traversing  their  systems  very  seriously 
and  have  put  thought  into  developing  secu¬ 
rity  and  risk- management  models.  Others 
have  put  zero  time  or  energy  into  their  prod¬ 
uct’s  security  and  risk- management  models, 
which  makes  for  interesting  risk- analysis 
conference  calls.  Most  such  calls  initially 
elicit  shock,  as  the  medical  device  and  soft¬ 
ware  manufacturer’s  grasps  of  computer 


controls  and  audit-trail  implementation 
becomes  apparent.  Every  vendor,  without 
exception,  uses  default  user  and  password 
settings  or  shared  privileged  accounts  as 
the  primary  methods  of  administering 
these  systems.  Routine  patching  models 
are  nearly  nonexistent,  thanks  to  liberal 
interpretations  of  the  government’s  FDA 
510k  certification  requirements.  The  FDA 
doesn’t  hold  products  handling  personal 
health  information  responsible  for  data 
protection,  which  underscores  the  agency’s 
outdated  methods  of  validating  and  certi¬ 
fying  technologies  that  will  be  integrated  a 
healthcare  organization’s  network. 

4.  Set  up  regular  meetings  with  key 
executives,  business  owners  and  bio¬ 
medical  engineering  resources.  Address 
the  security  strategy  from  a  purely  busi¬ 
ness  perspective.  Remind  clinicians  who 
struggle  with  the  value  of  information 
security  that  all  data  relevant  to  the  treat¬ 
ment  and  care  of  a  patient  is  an  extension 
of  that  patient,  and  so  should  be  handled 
with  the  same  care  and  scrutiny  as  any 
clinical  decision.  An  event  triggered  by  lax 
security  controls  that  injures  a  patient  is  no 
less  important  than  one  induced  by  human 
error  or  a  breakdown  in  clinical  protocol. 

To  take  on  this  challenge,  you’ll  need  to 
buckle  your  seat  belt.  The  path  of  managing 
risk  in  this  environment  is  long  and  lined 
with  roadblocks,  but  know  that  it’s  the  right 
way  to  go.  Providing  real  value  to  a  business 
undergoing  a  massive  regulatory  and  legal 
transformation  while  managing  an  explo¬ 
sion  of  technologies— that’s  how  informa¬ 
tion-security  professionals  not  only  earn 
their  keep,  but  truly  add  value.  ■ 


bio:  Neil  Buckley  is  Enterprise  Information 
Security  Architect  at  Partners  Healthcare. 


30  www.csoonline.com  June  2010 


Photo  by  iStockphoto.com 


i  pass 

company  secrets 
via  the  web 


1  shop  online 
all  afternoon 


M.omt©ring,  5urve*!lff 
Investigation  Softwaj 


0  Spector  360  Dashboard 


Users  Spending  the  Most  Time  Surfing  Web  Sites 


Tom 

■Pat 

Sarah 

Brian 

James 

Nancy 

Randy 

Victor 

Carol 


0  1  2  3  4  5  6  7 

Active  Time  (HOURS) 

^Criteria  E]  Settings  P  Events  '■  Reports  »  CHART  DATA 

More  than  50  built-in  charts  and  reports  allow  you 
to  quickly  and  easily  identify  your  top  achievers, 
productivity  wasters,  and  anyone  engaging  in 
inappropriate  or  potentially  damaging  conduct. 


NETWORK 

PRODUCTS  GUIDE 


See  results  within  24  hours  of  installing  Spector  360. . . 
we  guarantee  it!  Don't  just  take  our  word  for  it. 

Try  Spector  360  for  yourself  by  calling  1 .877.288.5699 
and  requesting  a  FREE  test  drive. 


SPECTOR  360 


SPECTOR  360 


Monitoring,  Surveillance  and  Investigation  Software 


June  2010  www.csoonline.com  31 


MARKETPLACE 


1 1  surf  x-rated  sites 
from  behind 
my  cubicle  walls 


: 


Monitor  Employee  PC  &  Internet  Activity 


Spector  360  is  the  world's  first  monitoring  solution  that  makes  it 
easy  to  detect  inappropriate  employee  behavior.  At  the  touch  of  a 
button,  you  will  see  ALL  PC  &  Internet  activity  for  your  entire 
company  and  find  out  which  employees  are  working,  playing, 
doing  their  job  efficiently  or  putting  your  business  at  risk  by 
engaging  in  illicit  or  illegal  behavior. 


Spector  360  Records  ALL  Your  Employees' 

•  Emails  (Sent  and  Received)  •  Files  Saved  to  Removable  Media 

•  Chats  &  Instant  Messages  •  Google  &  Other  Online  Searches 

•  Keystrokes  Typed  •  Network  Traffic 

•  Web  Sites  Visited  and  much  more... 


Plus,  Spector  360  includes  a  powerful  screen  snapshot  recorder  that 
shows  you  in  exact  visual  detail  what  an  employee  does  every  step 
of  the  way.. .  think  of  it  as  a  surveillance  camera  for  your  office  PCs. 


2010  Product  Innovation  Award 

Spector  360  Awarded  Best  "Information 
Monitoring  and  Filtering  Solution" 


For  more  information,  visit: 

WatchWith360.com 

or  call  us  anytime 

1 .877.288.5699 


Expect  to  See  Immediate  Results 


Ail  rights  reserved  PC  Magazine  Fifths'  Choice  Aware  ■:  ego  is  a  »»3den><u *  of  .tiff  Davis  Publishing  Hofdings  inc  Used  tinder  license. 


[  debriefing] 


Security  Budget  Requests 
Through  The  Years 


1985 

To:  Brad  Breckenridge,  head  of  facilities 

Hey  Brad,  some  shady  characters  have  been  hanging  out 
near  the  loading  dock.  I  need  $100,000  next  year  to  swap 
out  our  access  control  system.... 

1995 

To:  Mary  Hopper,  CIO 

Leslie:  I’m  concerned  about  outsiders  infiltrating  our  data 
center.  I  need  $200,000  next  year  to  swap  out  our  access 
control  system.... 

1999 

To:  Art  Anderson,  CFO 

Mr.  Anderson:  You  know  that  bathtub  full  of  money  that 
you  and  our  CEO  swam  in  at  the  annual  shareholder 
offsite  in  Aspen?  Did  you  guys  actually  shred  that  money 
to  stuff  your  pillowcases  as  promised,  or  is  that  still  sit¬ 
ting  around  in  a  basement  somewhere?  I  know  it’s  chump 
change  to  you,  but  we  could  actually  use  that  to  replace 
our  access  control  system.... 

2000 

To:  Art  Anderson,  CFO 

Mr.  Anderson:  Yes,  I  did  receive  the  memo  about  the 
spending  freeze,  and  we  did  participate  in  all  three 
rounds  of  RIFs.  In  fact,  that’s  the  reason  I  still  need  to 
push  that  request  for  $500,000  to  install  a  new  access 
control  system.... 

2010 

To:  P.  Bemstean,  head  of  audit  and  risk  committee,  Board 
of  Directors 

To  Whom  It  May  Concern:  I  hope  you  saw  the  executive 
dashboard  updates  regarding  our  EVA  contribution 
and  the  impact  of  the  proposed  access  control  system 
replacement  project  on  our  KPIs.... 

2020 

To:  Brad  Breckenridge  Jr.,  head  of  facilities 

Hi  Brad-glad  to  meet  you.  I  look  forward  to  working  for 
you,  and  congratulations  again  on  graduating.  I  need 
$1,000,000  next  year  to  swap  out  our  access  control 
system.... 


32  www.csoonline.com  June  2010 


Photo  by  iStickphoto.com 


8th  Annual 

■■■■■■■■MawwiaBMiii  >11  it  mm  1 1  imiiwi  ii  wi  ii  sms 

Alta  Associates' 

Executive 
Women’s  Forum 

Information  Security ;  Risk  Management  &  Privacy 


October  20-22,  2010  Hyatt  Regency  at  Gainey  Ranch  Scottsdale,  AZ 


Manage  Risk  and  Drive  Innovation 


ROI: 


The  8th  annual  Executive  Women's  Forum  brings  together  more  than  200  women  of  influence, 
power  and  intelligence  who  are  leading  experts  in  their  field  Hosted  by  Alta  Associates,  Inc. 


•  Earn  17  CPE  Credits 

•  Build  a  Network  of  the  Most  Dynamic  Women  in  Our  Industry 

•  Take  Home  Tools,  Templates  &  Solutions  to  Achieve  Success 

•  Expand  Your  Expertise  &  Capabilities 


Panels  Include: 


Women  of  Influence  Awards 

Nominate  your  peers,  clients  and  customers  for  the 
Women  of  Influence  Awards.  Co  presented  by  CSO 
Magazine  and  Alta  Associates,  the  awards  honor  four 
women  for  their  accomplishments  and  leadership 
roles  in  the  fields  of  security,  risk  management  and 
privacy. 

Winners  will  be  announced  at  an  awards  ceremony 
during  the  EWF  event. 

NOMINATION  FORM  AVAILABLE  AT: 

www.ewf-usa.com 

Must  be  submitted  by  August  31, 2010 


MEDIA  SPONSOR 
&  AWARDS 

co-presenter: 

CSO 


FORUM  HOST 
&  AWARDS 

co-presenter: 


•  Master  Class— Cloud  Computing  &  Access  and  Identity  Management 

Workshop  developing  decision  making  skills  on  choosing  to  leverage  the  cloud  or  your  own 
internal  resources 

•  Transforming  Risk  &  Security  Services  from  “Cost-Center”  to  “Profit  and 
Revenue-Enabling  Center”  Learn  how  risk  and  security  managers  use  technology  as  a 
differentiator  to  promote  customer  confidence  and  drive  revenue 

•  Data  Protection:  Regulatory  and  Privacy  Challenges  Regulators  and  privacy 
experts  reveal  impacts  and  implications  of  regulations  and  compliance  related  to  data  protection 

•  Information  Security,  Privacy  &  Risk  Management:  From  Research  to  Practice 

Academic  and  research  thought  leaders  showcase  cutting  edge  solutions  and  their  implications 
to  industry  practice 

•  Social  Networking  2.0:  Privacy  Implications  for  Individuals  and  Industry 

Social  networking  and  privacy  experts  discuss  emerging  privacy  considerations  of  the  intersection 
between  social  networking,  targeted  advertising,  and  the  unintended  picture  it  can  paint 


DIAMOND  SPONSORS 


Symantec. 


•  ® 

ini 

I  nf  o  r  mat  ion  Networking  Institute 

Carnegie  Mel  Ion 


•  Balancing  Risk  with  Innovation  Innovation  creates  risk  as  do  new  technologies.  Discover 
ways  to  leverage  emerging  technologies  while  managing  the  risky  business  of  innovation. 


Microsoft 


For  more  information  on  the  EWF  or  to  register,  please  visit:  www. 


li 

'  * 


/  Gartner  VP 
be  thJ*n  MU 


60%  OF  PRODUCTION  VIRTUAL  MACHINES 

ARE  LESS  SECURE  THAN  THEIR  PHYSICAL  COUNTERPARTS! 


THINK  CONVENTIONAL  SECURITY  CAN  PROTECT  YOUR  VIRTUAL  ENVIRONMENT? 


THINK  AGAIN 


Enterprises  around  the  world  are  relying  on  virtualization  to  increase  data  center  efficiency  and,  unknowingly, 
leaving  themselves  more  vulnerable.  That's  because  conventional  security  isn't  able  to  protect  virtual  machines  or 
see  the  traffic  between  them  -  leaving  data  and  networks  exposed.  Which  is  why,  according  to  Gartner  Group,  in 
2009  sixty  percent  of  virtual  machines  are  less  secure  than  their  physical  counterparts.  But  with  Trend  Micro™ 
Enterprise  Security,  powered  by  the  Trend  Micro™  Smart  Protection  Network™  infrastructure,  you  can  mitigate  the 
risk  and  maximize  the  benefits  of  virtualization.  It's  a  different  kind  of  security  that  protects  your  physical  and 
virtualized  environments  and  helps  set  the  foundation  for  your  company  to  move  confidently  into  the  cloud. 


TREND 

MICRO 


Learn  how  to  protect  your  virtualized  data  center. 

Download  the  Trend  Micro  eBook  at  trendmicro.com/thinkagain 


©  2010  Trend  Micro  Inc.  Ail  rights  reserved.  Trend  Micro  and  the  t-bafl  logo  are  trademarks  or  registered  trademarks  of  Trend  Mk  ro  Inc.  All  other 
trademarks  of  their  owners.  *Per  Gartner  Group '  "  * '  ~ 

2007,  www.cio.com/article/print/154950  ♦♦Per  Gartner  Group  Vice  President  Neil  MacDonald,  as  quoted  in:  "Gartner:  Rush  to  Virtualization  Can 
httpy/www.ondemandentefprisapbm/offthewire/gartner _ rush_to_virtuali2p|mibgn_weaken_security_07-29-2008_08j^ 


icompany  and/or  product  names  may  be  trademarks  or  registered  | 

Vice  President  Neil  MacDonald,  as  quoted  in:  McLaughlin,  Laurianne;  "How  to  Find  and  Fix  10  Real  Security  Threats  on  Your  Virtual  Servers,"  CIO  Magazine,  14  Nov< 

rat  _ ....  ‘  T'/i  Weaken  Security,"  On-Demand  Enterprise,  09  April  2007, 

52.J8.html 


